AI Security AI安全 3d ago Updated 3d ago 更新于 3天前 48

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities 疑似与中国结盟的黑客利用Roundcube漏洞攻击大学

Suspected China-aligned threat cluster UNK_MassTraction exploited critical Roundcube vulnerabilities (CVE-2024-42009 and CVE-2025-49113) to target US and Canadian university physics and engineering departments. The attack chain utilizes a custom JavaScript payload named IceCube to steal credentials, 2FA tokens, and cookies, followed by remote code execution to deploy web shells or the VShell remote administration tool. This campaign marks the first known instance of Chinese actors exploiting Rou 疑似中国关联黑客组织 UNK_MassTraction 利用 Roundcube 邮件系统的未修补高危漏洞(CVE-2024-42009 和 CVE-2025-49113)针对美加高校物理及工程部门进行攻击。 攻击链包含名为 IceCube 的 JavaScript 恶意载荷,用于窃取凭据、Cookie 及 2FA 信息,并通过 CSRF 令牌触发远程代码执行以部署持久化后门。 攻击者部署了 SquareShell Webshell 或 VShell 远程管理工具,若失败则通过 SNOWLIGHT ELF 加载器执行备用方案,显示工具链的成熟性与共享性。 这是首次发现中国黑客团伙利用 Roun

75
Hot 热度
65
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Suspected China-aligned threat cluster UNK_MassTraction exploited critical Roundcube vulnerabilities (CVE-2024-42009 and CVE-2025-49113) to target US and Canadian university physics and engineering departments.
  • The attack chain utilizes a custom JavaScript payload named IceCube to steal credentials, 2FA tokens, and cookies, followed by remote code execution to deploy web shells or the VShell remote administration tool.
  • This campaign marks the first known instance of Chinese actors exploiting Roundcube flaws, traditionally associated with Russian state-sponsored groups, indicating a shift in TTPs.
  • Defenders must treat mail servers as critical edge infrastructure, prioritizing patch management and monitoring for lateral movement via compromised email clients.

Why It Matters

This incident highlights a significant evolution in threat actor tactics, as Chinese-aligned groups are now actively targeting and exploiting open-source email infrastructure previously dominated by Russian adversaries. For AI and cybersecurity practitioners, it underscores the critical risk posed by unpatched third-party components in high-value academic and research environments, demonstrating how email clients can serve as initial pivot points for deeper network intrusions.

Technical Details

  • Vulnerabilities Exploited: The campaign leveraged CVE-2024-42009 (CVSS 9.3), an XSS flaw requiring only email opening, and CVE-2025-49113 (CVSS 9.9), a post-authenticated RCE flaw used to gain server footholds.
  • Payload Mechanics: The IceCube JavaScript payload performs reconnaissance (browser language, screen size), steals session data including CSRF tokens, and sets up "deferred triggers" to re-attempt exploitation if the user navigates away or logs out.
  • Post-Exploitation Tools: Successful exploitation leads to the deployment of SquareShell (a PHP web shell) or VShell (a Go-based RAT similar to Cobalt Strike). A fallback mechanism uses an ELF loader named SNOWLIGHT to deliver VShell if the web shell fails.
  • Evasion Techniques: The malware destroys user and malware-initiated sessions upon completion or timeout to erase forensic evidence, and uses generic lures with spoofed or compromised senders to bypass lax DMARC policies.

Industry Insight

  • Shift in Targeting: Organizations should update threat intelligence models to account for Chinese actors increasingly targeting academic and scientific institutions through supply chain or common software vulnerabilities, not just traditional espionage vectors.
  • Email Security Hardening: Mail servers must be secured with the same rigor as VPN concentrators; this includes strict patching schedules for open-source components like Roundcube, robust DMARC implementations, and behavioral monitoring for anomalous JavaScript execution within email clients.
  • Tool Sharing Ecosystems: The reuse of tools like SNOWLIGHT and VShell across different threat clusters suggests a growing ecosystem of shared, private malware kits among nation-state actors, necessitating broader detection signatures rather than cluster-specific ones.

TL;DR

  • 疑似中国关联黑客组织 UNK_MassTraction 利用 Roundcube 邮件系统的未修补高危漏洞(CVE-2024-42009 和 CVE-2025-49113)针对美加高校物理及工程部门进行攻击。
  • 攻击链包含名为 IceCube 的 JavaScript 恶意载荷,用于窃取凭据、Cookie 及 2FA 信息,并通过 CSRF 令牌触发远程代码执行以部署持久化后门。
  • 攻击者部署了 SquareShell Webshell 或 VShell 远程管理工具,若失败则通过 SNOWLIGHT ELF 加载器执行备用方案,显示工具链的成熟性与共享性。
  • 这是首次发现中国黑客团伙利用 Roundcube 漏洞,此前该漏洞多被俄罗斯国家支持的黑客滥用,标志着威胁格局的变化。
  • 攻击者利用“延迟触发”机制监控用户行为以确保持续感染,并在完成后销毁会话证据,凸显了邮件服务器作为网络入口点的严重安全风险。

为什么值得看

本文揭示了针对学术科研机构的新型高级持续性威胁(APT)手法,展示了攻击者如何利用开源邮件软件的供应链弱点进行精准打击。对于安全从业者而言,它强调了邮件服务器不应仅被视为通信工具,而应作为关键边缘设备进行同等强度的防护,特别是在面对利用 N-day 漏洞的复杂攻击链时。

技术解析

  • 初始访问与漏洞利用:攻击者首先通过伪造或劫持的域名发送钓鱼邮件,利用 Roundcube 中的跨站脚本(XSS)漏洞 CVE-2024-42009 (CVSS 9.3)。受害者只需在客户端打开邮件即可触发任意 JavaScript 代码执行,无需额外交互。
  • 凭证窃取与侦察:恶意载荷 IceCube 运行在浏览器上下文中,窃取存储的凭据、Cookie 和 2FA 令牌,并收集浏览器语言、屏幕尺寸等环境信息。随后通过 HTTP POST 将数据发送至外部 C&C 服务器。
  • 权限提升与持久化:利用窃取的 CSRF 令牌,IceCube 触发第二个漏洞 CVE-2025-49113 (CVSS 9.9),这是一个已认证后的远程代码执行漏洞。攻击者尝试在内存中注入 SquareShell Webshell 或 VShell。
  • 备用执行链:若 Webshell 部署失败,攻击链会回退到通过 Shell 脚本执行 ELF 加载器 SNOWLIGHT。该脚本可适配主机架构并下载执行 SNOWLIGHT,此工具链与以往中国关联集群 UNC5174 的活动有关联。
  • 反取证与持续控制:IceCube 设置“延迟触发”钩子,监测标签页切换、鼠标移出或登出按钮点击等行为,重新尝试利用漏洞并向 C&C 报告。最终,恶意软件会销毁服务器上的用户和恶意会话,清除数字取证痕迹。

行业启示

  • 邮件基础设施安全加固:组织必须将邮件服务器视为关键边缘资产,实施与 VPN 网关同等严格的安全策略,包括及时修补已知漏洞、强化 DMARC 策略以防止域名欺骗,以及部署先进的邮件网关检测机制。
  • 关注开源组件供应链风险:Roundcube 等广泛使用的开源软件一旦存在高危漏洞,可能成为大规模攻击的跳板。企业应建立严格的软件版本管理机制,避免使用存在已知 N-day 漏洞的旧版本,并监控相关 CVE 的动态。
  • 威胁情报驱动的防御升级:鉴于中国关联黑客开始涉足此前由俄罗斯黑客主导的攻击领域,安全团队需更新威胁情报库,识别新的工具特征(如 IceCube, VShell, SNOWLIGHT),并加强对特定高价值目标(如科研机构)的网络监控和异常行为检测。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源