China-Aligned Hackers Target Universities Via Roundcube Exploits
A suspected China-aligned threat group has been observed exploiting critical security flaws in the open-source Roundcube webmail software, targeting physics and engineering departments at U.S. and Canadian universities. This new campaign, detailed in a report by cybersecurity firm Mandiant, leverages vulnerabilities such as CVE-2024-42009, which carries a CVSS score of 9.3, to gain unauthorized access and exfiltrate sensitive information. The attackers aim to steal user credentials, which can then be used for further network intrusion and espionage activities.
The observed exploitation campaign specifically targets academic institutions, suggesting a potential motive related to intellectual property theft or intelligence gathering. Mandiant's analysis indicates that the threat actors have been active since at least May 2024, utilizing the compromised Roundcube instances as a pivot point to access internal university networks. The specific vulnerabilities exploited were patched by the Roundcube project in August 2024, but the ongoing attacks highlight the persistent threat posed by unpatched systems.
Roundcube is a widely used web-based email client, and its open-source nature makes it a common target for attackers seeking to exploit widespread vulnerabilities. The attackers are believed to be part of a sophisticated group with nation-state backing, given the nature of the targets and the methods employed. The campaign underscores the ongoing challenges universities face in securing their IT infrastructure against advanced persistent threats (APTs).
Mandiant has attributed this activity to a cluster they track as UNC4859, which exhibits characteristics consistent with other China-aligned threat groups. The firm recommends that organizations using Roundcube ensure their software is updated to the latest patched versions and implement robust security measures, including multi-factor authentication and network segmentation, to mitigate the risk of similar attacks. The ongoing nature of these exploits emphasizes the need for continuous vigilance and rapid patching of known vulnerabilities within academic and research institutions.
Original source — read the full reporting at the publisher:
Read on The Hacker News