A China-aligned threat group, identified as UNK_MassTraction, has been exploiting vulnerable Roundcube mail servers at universities in the US and Canada. The attackers are targeting physics and engineering departments potentially linked to national security. Utilizing known vulnerabilities, they gained access to mail servers for credential theft and further network infiltration rather than just email data theft.
The campaign includes phishing emails with malicious content exploiting a cross-site scripting vulnerability (CVE-2024-42009). They deployed a JavaScript payload, IceCube, for stealing authentication data and used various techniques, including server-side exploitations and webshell installations. Notably, they installed the VShell backdoor for continued access, indicating an espionage motive. Proofpoint advises enhanced security measures for mail servers, likening their importance to that of VPNs and remote access nodes.