Security concerns - Uncovering an APT28 Roundcube Toolkit

[dutterman]

Hello,

I'm running RC since probably a decade and really happy with the UI. But I wonder what I can do to increase security.
After reading: https://hunt.io/blog/operation-roundish-apt28-roundcube-exploitation it seems that even using the 2-factor authentication plugin, the webapp is vulnerable to exploits.

Is there any guidance on how to increase security to mitigate these risks?

[JohnDoh]

Based on the info in that article I'm not sure why you think 2FA would not help. A properly implemented MFA plugin will increase security but only to Roundcube login, if you use other IMAP clients then those would need their own solutions. For things like brute force login attempts you can also use tools like Fail2Ban.

The article is not about login attack though but instead about a CSS exploit which can then be used to get creds stored in a browser. Using browser creds stores is notoriously unsafe.

The article does not give the CVE id for the specific exploit but the devs do patch security issues when they are discovered (for example the changelog for 1.6.13 mentions "Fix CSS injection vulnerability reported by CERT Polska") and we don't know what version of Roundcube the people who wrote the article were using.

Like any wab app the best you can do is make sure you have it setup properly, the permissions are correct and apply security updates when they come out.

[SKaero]

The other largest attack vector I see is social engineering where emails are sent saying there are coming from "Roundcube". A simple and quick fix would be to change the name and logo shown to users so they are less likely to click on links claiming to be from Roundcube.