As reported by The Register, suspected Chinese intelligence operatives have been actively compromising major universities in the United States and Canada since May, leveraging vulnerabilities in Roundcube mail servers to exfiltrate sensitive data from physics and engineering departments.The threat actor, tracked by Proofpoint as UNK_MassTraction, exploits CVE-2024-42009, a cross-site scripting vulnerability in Roundcube, to gain initial access. This vulnerability allows attackers to steal credentials, session tokens, and cookies once a user opens a specially crafted email in the webmail client. The attackers then use a deserialization exploit, CVE-2025-49113, to install a webshell called SquareShell and a VShell implant, enabling remote code execution. Proofpoint observed "less than 10" universities directly targeted, but estimates the total number could be in the dozens. The targeted departments, focusing on areas like astrophysics and particle physics, suggest intelligence-gathering motives aligned with Beijing's goals.The campaign's sophistication, including reconnaissance and the use of shared infrastructure with other China-aligned actors, indicates a moderately aware threat actor. The attack chain begins with generic phishing emails, potentially broadening the targeting scope beyond what Proofpoint has directly observed.Source: The Register
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




