“Webmail servers like RoundCube and Zimbra have been the main targets of multiple spy groups such as Sednit, Greencube and Winter Vivern over the past two years,” said Faou of Eset. “Because many organizations have not kept their webmail servers up-to-date, and because vulnerabilities can be triggered remotely by sending emails, it is very convenient for attackers to target these servers as email theft.”
He said the most important thing for CISOs is to keep webmail applications up-to-date. While we did mention the use of zero-day vulnerability in the study, in most of the events we analyzed, only a few months of known vulnerability have been patched for several months. Another path to hardening, but may be too extreme for most organizations, but may be too extreme for most organizations, i.e. prohibiting HTML content in emails, but preventing certain functional forms. Hyperlink. ”
He said webmail can be described as a website that displays untrusted HTML content in a browser. Although most webmail systems disinfect content to remove harmful HTML elements that may execute JavaScript code, ESET’s research shows that disinfectants are not without flaws and that attackers are able to bypass them. As a result, by sending specially designed emails, an attacker can execute arbitrary JavaScript code in the context of the target browser, he said. While this doesn’t lead to a compromise on the computer, he notes that executing JavaScript code in the context of a browser can steal information from a mailbox, such as emails or contact lists.
