HomeMalware & ThreatsChinese Cyberespionage Targets University Roundcube Servers

Chinese Cyberespionage Targets University Roundcube Servers

Published on

spot_img

Espionage Campaign Targets University Departments with Advanced Cyber Tactics

A sophisticated cyber-espionage campaign has recently come to light, revealing that an unknown hacking group has been targeting physics and engineering departments within American and Canadian universities. This initiative particularly focuses on academic fields related to national security, astrophysics, and particle physics, raising serious concerns among researchers and educational institutions alike.

The group, believed to be affiliated with a state actor from China, has been designated as UNK_MassTraction by security firm Proofpoint. Initial findings indicate that this cyber attacking group employs a multi-faceted strategy that strings together several publicly disclosed vulnerabilities within the Roundcube mail server, primarily to pilfer user credentials. Following this breach, the attackers deploy malware to maintain access and control over the compromised systems.

The cybercriminals exploit a cross-site scripting (XSS) vulnerability—specifically noted as CVE-2024-42009—in the Roundcube mail client. This vulnerability allows them to execute a JavaScript payload, which is capable of capturing credentials saved in the user’s browser. Furthermore, they exploit a deserialization flaw, identified as CVE-2025-49113, that can lead to remote code execution. These coordinated maneuvers showcase the attackers’ adeptness at utilizing known vulnerabilities to establish a foothold within their targeted networks.

Organizations targeted by these hackers were reportedly utilizing unpatched versions of the Roundcube client, thus making them susceptible to an attack merely by opening a phishing email. Given the specificity and sophistication of the breach, researchers from Proofpoint suggest that reconnaissance of the institutions likely occurred prior to launching the campaign, highlighting the calculated nature of the operation.

The severity of the XSS vulnerability is underscored by its Common Vulnerability Scoring System (CVSS) rating of 9.3. This metric indicates the gravity of the flaw, which stems from Roundcube’s inability to adequately strip malicious JavaScript from email contents before rendering them in the web-based interface. This shortfall allows for the execution of a loader for a subsequent malicious payload that could compromise the system further.

Evidence also indicates that early indicators of this campaign included Chinese language elements found in HTML bodies of phishing messages. This linguistic footprint raises questions about the origins of the threat and its ties to a broader framework of Chinese cyber-espionage.

The loading mechanism introduces a JavaScript stealer, known as IceCube. This malware is designed to accumulate logins, cookies, two-factor authentication data, and necessary browser settings. What is particularly notable about IceCube is its construction; the script is cluttered with single-line comments reminiscent of AI-generated code, suggesting it may have been created using sophisticated coding technology or large language models.

Following the initial phase of the attack, IceCube uses the session’s cross-site request forgery (CSRF) token to take advantage of the aforementioned deserialization vulnerability. This allows the malware to either install a PHP web shell titled SquareShell, facilitating long-term remote access, or to deploy a Go-based VShell backdoor directly into the system’s memory.

The involvement of Go programming language in these hacker tools is consistent with other cyber campaigns attributed to China’s hacking factions, indicating a shared arsenal of malicious tools. Proofpoint’s analysis further points to virtual private server (VPS) IP addresses being linked to multiple Chinese threat actors, establishing a network of cyber espionage facilitated by these shared resources.

A more detailed dissection of IceCube reveals that it attempts to send PHP serialized data that contains PHP “gadgets” to Roundcube’s database. The consequence of this action is that, upon deserialization, the embedded commands can execute, thereby compromising the system.

In scenarios where the web shell deployment encounters failure, a fallback plan implemented by the attackers last month provides an alternative. This includes the utilization of a shell script that instigates an architecture-specific ELF loader recognized as Snowlight.

Moreover, the malware has the capability to track user mouse movements to execute code before a session is disrupted. Should a user attempt to navigate away from the compromised page or close the tab, the malware intercepts these actions to re-initiate the deserialization attack. Furthermore, the malware implements measures to erase forensic evidence from the Roundcube server to obscure its activities.

As the academic community grapples with these emerging threats, the need for vigilant cybersecurity measures has never been clearer. Institutions must ensure that all software is promptly updated to mitigate vulnerabilities and resist such advanced cyber threats that endanger sensitive research and the integrity of academic environments.

Source link

Latest articles

The Evolving Role of the CISO as the Future CFO

The Pressing Question of Cybersecurity Assurance: Is the CISO Role Sustainable? In the fast-evolving landscape...

Why the Gentlemen Ransomware Challenges Identity and Recovery Controls

Emerging Threat: The Gentlemen Ransomware Group Targeting Enterprises Globally A recent report by cybersecurity firm...

Visa Threat Platform Tackles Payment Fraud

Visa Launches Advanced Threat Intelligence Platform to Combat Payment Fraud In a significant move to...

Hackers Take Advantage of Critical Adobe ColdFusion Vulnerability

Adobe Urges ColdFusion Users to Address Critical Vulnerabilities Immediately In a significant move aimed at...

More like this

The Evolving Role of the CISO as the Future CFO

The Pressing Question of Cybersecurity Assurance: Is the CISO Role Sustainable? In the fast-evolving landscape...

Why the Gentlemen Ransomware Challenges Identity and Recovery Controls

Emerging Threat: The Gentlemen Ransomware Group Targeting Enterprises Globally A recent report by cybersecurity firm...

Visa Threat Platform Tackles Payment Fraud

Visa Launches Advanced Threat Intelligence Platform to Combat Payment Fraud In a significant move to...