Researchers at Proofpoint have identified an ongoing campaign by a suspected China-aligned threat cluster exploiting Roundcube webmail software to target university departments. The attacks focus on physics and engineering faculties at institutions in the United States and Canada, with the activity assessed as likely continuing.
The campaign exploits critical, now-patched vulnerabilities in the open-source email solution, including CVE-2024-42009, which carries a CVSS score of 9.3. Proofpoint's analysis indicates the attackers are using an exploit chain to burrow into targeted systems, with credential theft as the primary objective.
Technical details reveal the attack vector leverages these Roundcube flaws to siphon login credentials from compromised webmail interfaces. While specific indicators of compromise were not disclosed, researchers emphasized the exploit chain allows persistent access to affected systems.
Patches for CVE-2024-42009 and associated vulnerabilities have been available since July 2024. Proofpoint urges affected institutions to apply updates immediately and monitor for signs of unauthorized access, as the campaign remains active.
The threat cluster's suspected alignment with Chinese state interests has not been independently confirmed, but the targeting of sensitive academic research aligns with prior espionage patterns. Proofpoint warned that the campaign's ongoing nature suggests additional victims may emerge.