Suspected Chinese snoops caught breaking into universities’ Roundcube mailservers
Suspected Chinese snoops caught breaking into universities’ Roundcube mailservers
Publish Date: 2026-07-08 17:35:00
Source Domain: www.theregister.com
Security
Proofpoint researcher tells The Reg: ‘We estimate the total volume of targets would be a few dozen’
Suspected Chinese spies have been breaking into major US and Canadian universities since May, exploiting vulns in Roundcube mailservers to steal data belonging to physics and engineering administrators and professors, according to Proofpoint threat researchers.
Proofpoint directly observed “less than 10” universities targeted in these intrusions, Greg Lesnewich, principal threat research engineer at Proofpoint, told The Register. “We estimate the total volume of targets would be a few dozen universities, but stress that this is at best a guess, not substantiated by our data.”
While the most recent sighting occurred in early June, “we believe it is likely that the campaign is ongoing,” Lesnewich said.
The email security shop tracks the crew as UNK_MassTraction, and says that it focuses on individuals in departments with national security ties or in astrophysics and particle physics – all topics that support Beijing’s intelligence-gathering goals and, as such, are frequently targeted by government-backed cyber goons.
To gain initial access, the intruders exploit CVE-2024-42009, a cross-site scripting vulnerability in Roundcube that only requires that the email is opened in the mail client to achieve access to the server.
“The targeted departments were likely specifically chosen because they were all running [vulnerable] versions of Roundcube … indicating that UNK_MassTraction had conducted reconnaissance into the targets prior to conducting the campaign,” the threat hunters wrote in a Tuesday blog.
While the espionage activity is similar to an earlier campaign disclosed by Trellix that used a filename parsing vulnerability to deliver VShell malware, a Go-based backdoor used primarily by Chinese APT groups for remote access, file operations, and post-exploitation…