HomeSecurity ArchitectureSuspected Chinese Spies Discovered Breaching Universities' Roundcube Mailservers

Suspected Chinese Spies Discovered Breaching Universities’ Roundcube Mailservers

Published on

spot_img

Security Investigation Uncovers Chinese Espionage Activities Targeting Academic Institutions

Recent findings from Proofpoint, a prominent cybersecurity firm, reveal that suspected Chinese espionage activities have been infiltrating various major universities across the United States and Canada since May. These breaches, sourced from vulnerabilities in Roundcube mailservers, have primarily aimed to extract sensitive data from administrators and professors in the disciplines of physics and engineering.

In discussions with The Register, Greg Lesnewich, a principal threat researcher at Proofpoint, disclosed that they have directly observed “less than 10” universities being targeted in these intrusions. However, he estimated that the total number of affected institutions could reach a few dozen, although he was careful to underscore that this figure is speculative and not explicitly supported by concrete data. With the last known intrusions occurring in early June, Lesnewich expressed concern that this campaign could very well be ongoing.

The cybersecurity firm has categorized the group behind these attacks as UNK_MassTraction. This group has predominantly concentrated its efforts on individuals working in departments closely associated with national security and specialized fields such as astrophysics and particle physics. These subjects, which hold significant intelligence-gathering potential, have frequently become focal points for government-backed cyber actors from China.

To gain initial access to targeted systems, the attackers exploit CVE-2024-42009, a cross-site scripting vulnerability in Roundcube. This particular exploit requires the targeted email merely to be opened in the vulnerable mail client, allowing unrestricted access to the server. According to Proofpoint’s analysis, this choice of targets suggests an intricate level of reconnaissance, as the affected departments were all operating versions of Roundcube that were vulnerable.

The tactics employed by UNK_MassTraction closely resemble prior cyber campaigns, although Proofpoint noted that it couldn’t definitively connect this malicious activity to past operations carried out by other groups. In particular, an earlier campaign reported by Trellix, which utilized a filename parsing vulnerability to deploy VShell malware, shares similarities but remains unlinked to the current group under investigation.

The Mechanics of the Attack

The groundwork of the UNK_MassTraction attack chain initiates with the dispatch of phishing emails targeting university departments. These emails are sent from both compromised legitimate senders and domains susceptible to spoofing. According to Proofpoint’s threat research, the phishing lures are generally uninspired, sometimes masquerading as university marketing communications. This strategy may allow for a broader targeting approach and increase the likelihood of the correspondence being opened without scrutiny.

Once a recipient opens the malicious email, it triggers the aforementioned CVE-2024-42009 exploit, which manipulates a desanitization flaw to permit remote attackers to abscond with messages and sensitive information. The exploit utilizes a JavaScript loader embedded within the email body, facilitating the deployment of a sophisticated data-stealing software known as IceCube.

IceCube adeptly circumvents Roundcube’s iFrame settings through a technique called DOM traversal, securing access to the Document Object Model (DOM) within the browser and the active Roundcube session. The malicious software then commences the gathering of usernames, passwords, session tokens, and cookies while also conducting reconnaissance on critical browser parameters like language settings, screen dimensions, and other relevant form field values.

This information is transmitted to the attacker’s command-and-control servers through HTTP POST requests. In a further escalation of their attack, the intruders utilize the compromised session’s CSRF token to exploit an additional vulnerability in Roundcube, a deserialization exploit labeled CVE-2025-49113. This enables the installation of a webshell known as SquareShell, granting remote code execution capabilities and facilitating further breaches via a VShell implant.

Proofpoint has actively scanned for signs of SquareShell presence on affected servers and has coordinated efforts with various government and industry stakeholders to inform the compromised institutions. As of June, researchers noted a more sophisticated fallback mechanism introduced by the attackers in case their initial webshell deployment failed, aiming to ensure continuity of access to the compromised systems.

Ongoing Connections to State-Sponsored Threat Actors

Additionally, the research team has identified instances of virtual private server IP addresses embedded within the phishing emails, which are linked to a covert infrastructure likely shared among various entities aligned with Chinese interests.

This array of intrinsic links, alongside the targeted nature of the espionage, the utilization of VShell, and the recognizable Chinese-language artifacts in the phishing messages, leads Proofpoint’s analysts to conclude that UNK_MassTraction is a China-aligned threat actor with potentially significant operational proficiency. This ongoing investigation raises the alarm about the strategic vulnerabilities faced by academic institutions and the broader implications of foreign-sponsored cyber espionage in sensitive research areas.

As the campaign continues to evolve, it underscores the pressing need for robust cybersecurity protocols and heightened vigilance within vulnerable sectors, particularly in institutions that are pivotal to national security.

Source link

Latest articles

CISA Includes FortiSandbox Vulnerabilities in KEV Catalog

Incident & Breach Response, Security Operations Agencies Have Until Sunday to Patch...

Guidelines for Safe GitHub Usage

Cybercriminals Exploit GitHub's Popularity to Distribute Malware Through Fake Repositories In an alarming trend, cybercriminals...

The Gentlemen Surpasses Qilin as the Most Prolific Ransomware Threat

Shift in the Ransomware Landscape: The Rise of The Gentlemen In a notable transformation within...

AI Tackles the Cyclospora Outbreak

Labs Employ AI to Accelerate Testing Amid Cyclospora Outbreak As the summer of 2026 unfolds,...

More like this

CISA Includes FortiSandbox Vulnerabilities in KEV Catalog

Incident & Breach Response, Security Operations Agencies Have Until Sunday to Patch...

Guidelines for Safe GitHub Usage

Cybercriminals Exploit GitHub's Popularity to Distribute Malware Through Fake Repositories In an alarming trend, cybercriminals...

The Gentlemen Surpasses Qilin as the Most Prolific Ransomware Threat

Shift in the Ransomware Landscape: The Rise of The Gentlemen In a notable transformation within...