Roundcube Cyber Attack on Universities by Chinese Spies: Targeting Physics and Engineering

According to a new cyber espionage campaign uncovered by Proofpoint security researchers, hackers suspected of being linked to China have been infiltrating major universities in the USA and Canada since May. The attackers exploit vulnerabilities in the Roundcube email servers used by the universities to gain access to the systems. The primary targets of these attacks are administrators and professors in the physics, engineering, astrophysics, and particle physics departments. It is noted that these academic fields have been specifically selected in line with Beijing's intelligence-gathering objectives and are frequently targeted by state-sponsored cyber groups. Researchers state that they have directly observed fewer than 10 universities being attacked, but they estimate that the total number of targets could involve dozens of universities.
The attack chain begins with generic and deceptive phishing emails sent to employees of the victim organizations, appearing as university marketing messages. The attackers send these emails through compromised accounts of real users or spoofable domain names, allowing the emails to bypass firewalls. Once the user opens the email in their web client, the cross-site scripting (XSS) vulnerability in Roundcube, named CVE-2024-42009, is triggered. This vulnerability grants the attacker access to the server simply by opening the email, without requiring the user to click on any link. Researchers note that these situations demonstrate that the targeted units were predetermined and deliberately chosen, as all these departments were running vulnerable versions of Roundcube.
After initial access is achieved, the attack continues with a quite sophisticated very stealing (data theft) mechanism. The JavaScript loader, which runs upon the email being opened, downloads a powerful malware named IceCube onto the target computer. IceCube bypasses Roundcube's security boundaries to access the browser's entire Document Object Model (DOM) and the user's session information. At this stage, the malware steals critical authentication data such as usernames, passwords, session tokens, and cookies. Furthermore, it conducts reconnaissance activities by gathering environmental information like browser language, screen size, and form fields, transmitting this data to the attacker's command and control servers via the HTTP POST method.
The most critical phase of the attack occurs when stolen session data is used to establish a persistent backdoor on the system. The IceCube malware exploits another vulnerability in Roundcube called CVE-2025-49113, which abuses the deserialization process, by using the hijacked CSRF token. Thanks to this new vulnerability, attackers deploy a webshell (backdoor) named SquareShell and an implant named VShell, allowing remote code execution on the server. VShell is a known type of backdoor written in the Go programming language, specifically used by Chinese APT groups for remote access, file operations, and post-exploitation control. Proofpoint adds that the attackers ensure the operation continues uninterrupted by creating an alternative access channel in case the webshell installation fails.
Security teams have determined that the virtual private server (VPS) IP addresses examined in the headers of the captured phishing emails, along with the infrastructure used, are directly linked to other pro-China cyber threat actors. Additionally, the fact that the backup software used in the attacks, SnowLight, has been previously used by Chinese groups, and the presence of Chinese language structures in the phishing emails, further reinforces suspicions. In light of all this evidence, Proofpoint assesses that this group, which they named UNK_MassTraction, is a China-backed state espionage group with a moderate level of operational security awareness. While the attacks were last observed in early June and are believed to likely still be ongoing, researchers are collaborating with government and industry partners to notify the identified victims of the situation.
この記事について質問
回答はこの記事のみからAIが生成します。