UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. This worker intercepts login attempts and sends credentials to the attackers. The exploit allows code execution when an email is opened. A new vulnerability, CVE-2025-49113, has also been discovered in Roundcube, potentially creating a more effective attack chain. The attackers use harvested credentials to analyze mailboxes, download address books, and spread further phishing messages. Organizations using Roundcube are advised to update their installations and review logs for indicators of compromise.
AI Analysis
Technical Summary
This threat involves a spearphishing campaign attributed to the threat actor UNC1151 targeting Polish entities by exploiting a critical vulnerability in the Roundcube webmail client, specifically CVE-2024-42009. Roundcube is a widely used open-source webmail solution deployed by many organizations for email access. The attack vector leverages malicious JavaScript embedded in spearphishing emails that, when opened, execute code allowing the installation of a Service Worker in the victim's browser. This Service Worker operates stealthily to intercept login attempts to Roundcube, capturing user credentials and transmitting them to attacker-controlled infrastructure. The exploit allows code execution simply upon opening the email, bypassing traditional security controls that rely on user interaction beyond opening the message. Additionally, a newly discovered vulnerability, CVE-2025-49113, in Roundcube may be chained with CVE-2024-42009 to create a more effective and persistent attack vector, potentially increasing the scope and impact of the campaign. After credential theft, UNC1151 uses the compromised accounts to analyze mailboxes, extract address books, and propagate further phishing emails internally, facilitating lateral movement and expanding their foothold within targeted organizations. The campaign employs advanced tactics such as service worker abuse (T1059.007), credential access (T1078), and spearphishing (T1566.001). Indicators of compromise include specific IP addresses, domains, URLs, and file hashes linked to the campaign. Organizations running Roundcube installations are urged to update their software promptly and conduct thorough log reviews for signs of compromise, such as unusual service worker registrations or unexpected login patterns.
Potential Impact
For European organizations, especially those in Poland and neighboring countries with significant Roundcube deployments, this threat poses a substantial risk to the confidentiality and integrity of email communications. Compromise of user credentials can lead to unauthorized access to sensitive corporate communications, intellectual property, and personally identifiable information. The attackers' ability to harvest address books and send further phishing emails internally increases the risk of widespread compromise within an organization, potentially leading to data breaches, financial fraud, and reputational damage. The exploitation of browser-based service workers for credential interception is particularly concerning as it bypasses many traditional endpoint security measures. Given the strategic importance of email systems in business operations and government communications, disruption or compromise could also impact availability indirectly through operational disruptions and incident response activities. The campaign's focus on Polish entities suggests a targeted geopolitical motive, but the underlying vulnerabilities and attack techniques could be leveraged against other European organizations using Roundcube, especially those with similar configurations or lacking timely patching.
Mitigation Recommendations
1. Immediate patching of Roundcube installations to address CVE-2024-42009 and CVE-2025-49113 vulnerabilities is critical. Organizations should monitor official Roundcube releases and apply updates without delay. 2. Conduct comprehensive log analysis focusing on unusual service worker registrations, anomalous login attempts, and suspicious outbound connections to known malicious domains or IPs such as those identified in the indicators. 3. Implement browser security policies that restrict or monitor service worker registrations, especially in corporate environments where webmail is accessed. 4. Enhance email filtering and spearphishing detection capabilities to identify and quarantine malicious emails before reaching end users, leveraging threat intelligence feeds that include UNC1151 indicators. 5. Enforce multi-factor authentication (MFA) for webmail access to reduce the risk of credential misuse even if passwords are compromised. 6. Educate users on the risks of spearphishing and the importance of reporting suspicious emails, emphasizing that opening an email alone can trigger exploitation. 7. Segment email infrastructure and restrict internal email forwarding to limit the spread of phishing campaigns within the organization. 8. Regularly audit and restrict permissions on mailboxes and address books to minimize data exposure in case of compromise.
Affected Countries
Poland, Germany, Czech Republic, Slovakia, Austria, Hungary
Indicators of Compromise
- cve: CVE-2024-42009
- cve: CVE-2025-49113
- hash: 70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149
- ip: 2001:67c:e60:c0c:192:42:116:216
- domain: a.mpk-krakow.pl
- url: https://a.mpk-krakow.pl/creds
UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
Description
A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. This worker intercepts login attempts and sends credentials to the attackers. The exploit allows code execution when an email is opened. A new vulnerability, CVE-2025-49113, has also been discovered in Roundcube, potentially creating a more effective attack chain. The attackers use harvested credentials to analyze mailboxes, download address books, and spread further phishing messages. Organizations using Roundcube are advised to update their installations and review logs for indicators of compromise.
AI-Powered Analysis
Technical Analysis
This threat involves a spearphishing campaign attributed to the threat actor UNC1151 targeting Polish entities by exploiting a critical vulnerability in the Roundcube webmail client, specifically CVE-2024-42009. Roundcube is a widely used open-source webmail solution deployed by many organizations for email access. The attack vector leverages malicious JavaScript embedded in spearphishing emails that, when opened, execute code allowing the installation of a Service Worker in the victim's browser. This Service Worker operates stealthily to intercept login attempts to Roundcube, capturing user credentials and transmitting them to attacker-controlled infrastructure. The exploit allows code execution simply upon opening the email, bypassing traditional security controls that rely on user interaction beyond opening the message. Additionally, a newly discovered vulnerability, CVE-2025-49113, in Roundcube may be chained with CVE-2024-42009 to create a more effective and persistent attack vector, potentially increasing the scope and impact of the campaign. After credential theft, UNC1151 uses the compromised accounts to analyze mailboxes, extract address books, and propagate further phishing emails internally, facilitating lateral movement and expanding their foothold within targeted organizations. The campaign employs advanced tactics such as service worker abuse (T1059.007), credential access (T1078), and spearphishing (T1566.001). Indicators of compromise include specific IP addresses, domains, URLs, and file hashes linked to the campaign. Organizations running Roundcube installations are urged to update their software promptly and conduct thorough log reviews for signs of compromise, such as unusual service worker registrations or unexpected login patterns.
Potential Impact
For European organizations, especially those in Poland and neighboring countries with significant Roundcube deployments, this threat poses a substantial risk to the confidentiality and integrity of email communications. Compromise of user credentials can lead to unauthorized access to sensitive corporate communications, intellectual property, and personally identifiable information. The attackers' ability to harvest address books and send further phishing emails internally increases the risk of widespread compromise within an organization, potentially leading to data breaches, financial fraud, and reputational damage. The exploitation of browser-based service workers for credential interception is particularly concerning as it bypasses many traditional endpoint security measures. Given the strategic importance of email systems in business operations and government communications, disruption or compromise could also impact availability indirectly through operational disruptions and incident response activities. The campaign's focus on Polish entities suggests a targeted geopolitical motive, but the underlying vulnerabilities and attack techniques could be leveraged against other European organizations using Roundcube, especially those with similar configurations or lacking timely patching.
Mitigation Recommendations
1. Immediate patching of Roundcube installations to address CVE-2024-42009 and CVE-2025-49113 vulnerabilities is critical. Organizations should monitor official Roundcube releases and apply updates without delay. 2. Conduct comprehensive log analysis focusing on unusual service worker registrations, anomalous login attempts, and suspicious outbound connections to known malicious domains or IPs such as those identified in the indicators. 3. Implement browser security policies that restrict or monitor service worker registrations, especially in corporate environments where webmail is accessed. 4. Enhance email filtering and spearphishing detection capabilities to identify and quarantine malicious emails before reaching end users, leveraging threat intelligence feeds that include UNC1151 indicators. 5. Enforce multi-factor authentication (MFA) for webmail access to reduce the risk of credential misuse even if passwords are compromised. 6. Educate users on the risks of spearphishing and the importance of reporting suspicious emails, emphasizing that opening an email alone can trigger exploitation. 7. Segment email infrastructure and restrict internal email forwarding to limit the spread of phishing campaigns within the organization. 8. Regularly audit and restrict permissions on mailboxes and address books to minimize data exposure in case of compromise.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube"]
- Adversary
- UNC1151
- Pulse Id
- 68421bec34b6f0d3020dde66
- Threat Score
- null
Indicators of Compromise
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2024-42009 | — | |
cveCVE-2025-49113 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip2001:67c:e60:c0c:192:42:116:216 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaina.mpk-krakow.pl | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://a.mpk-krakow.pl/creds | — |
Threat ID: 684298b5182aa0cae2059206
Added to database: 6/6/2025, 7:28:53 AM
Last enriched: 7/7/2025, 5:58:38 PM
Last updated: 8/6/2025, 12:40:07 PM
Views: 13
Related Threats
EncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumThe Hidden Infrastructure Behind VexTrio's TDS
MediumKawabunga, Dude, You've Been Ransomed!
MediumThreat Bulletin: Fire in the Woods – A New Variant of FireWood
MediumCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.