Connect with us

CyberSecurity

Suspected Chinese Hackers Target University Email Systems Through Roundcube Vulnerabilities

Published

on

Roundcube exploit universities

A Targeted Assault on Academic Email

A threat group with suspected ties to China has been caught exploiting known vulnerabilities in Roundcube, an open-source webmail platform, to steal login credentials from universities. The campaign specifically hit physics and engineering departments at institutions in the United States and Canada.

The attackers zeroed in on a critical flaw—tracked as CVE-2024-42009 and carrying a CVSS severity score of 9.3 out of 10—that had already been patched by Roundcube developers. That didn’t stop the hackers. They weaponized the bug to siphon usernames and passwords from targeted email accounts, likely aiming to monitor sensitive communications or pivot into deeper network access.

This isn’t a spray-and-pray operation. The choice of departments suggests a deliberate focus on research tied to defense, aerospace, and advanced engineering—fields where intellectual property and classified data often intersect.

How the Roundcube Attack Worked

The exploit chain relied on a stored cross-site scripting (XSS) vulnerability in Roundcube’s handling of SVG (Scalable Vector Graphics) attachments. By sending a specially crafted email containing a malicious SVG file, the attacker could execute arbitrary JavaScript in the victim’s browser when the message was viewed.

Once the script ran, it could:

  • Capture session cookies and authentication tokens.
  • Redirect the user to a fake login page that harvested credentials.
  • Exfiltrate the stolen data to an attacker-controlled server.

The flaw, discovered and reported by security researchers at SonarSource in July 2024, was patched in Roundcube version 1.6.8 and 1.5.8. Yet many university IT departments, often stretched thin, had not applied the update in time.

CVE-2024-42009: A Critical Weakness

CVE-2024-42009 is a classic case of insufficient input sanitization. Roundcube failed to properly filter SVG elements within HTML emails, allowing attackers to inject JavaScript that the browser would trust as part of the same origin. No user interaction beyond opening the email was required—a dangerous combination.

The CVSS 9.3 rating reflects the ease of exploitation and the potential for complete compromise of email accounts. For universities, the stakes are high: compromised email can lead to leaked grant proposals, unpublished research, and even credentials for adjacent systems like VPNs or internal file servers.

Why Universities Are Prime Targets for Espionage

Academic institutions have long been a soft target for state-sponsored hackers. Their networks are open by design—meant for collaboration and data sharing—but often lack the cybersecurity budgets of government agencies or private corporations.

Physics and engineering departments are particularly attractive. They host cutting-edge research in quantum computing, artificial intelligence, propulsion systems, and materials science. A single compromised professor’s inbox could yield months of sensitive correspondence with defense contractors or national labs.

This campaign mirrors earlier operations by groups like APT41 and TA413, which have also targeted academic email systems using webmail exploits. The pattern is clear: find a common, internet-facing application, weaponize a known vulnerability, and go after high-value users.

Patch Management Remains a Persistent Problem

The attackers didn’t use a zero-day. They used a bug that had a public fix for weeks. Yet they still found victims. That points to a systemic issue in how organizations—especially universities—handle patch management.

Roundcube is widely deployed because it’s free and relatively simple to run. But many IT teams treat it as a set-it-and-forget-it service. When critical updates arrive, they may sit in a queue for months, especially during summer breaks or semester transitions.

Security experts recommend:

  • Enabling automatic updates for Roundcube where possible.
  • Conducting weekly scans of webmail interfaces for known CVEs.
  • Segmenting email servers from other critical infrastructure.

For universities, the lesson is harsh but straightforward: a patched vulnerability is only effective if you actually apply the patch.

Implications for Broader Cybersecurity

This campaign is a reminder that threat actors don’t need sophisticated tools to breach well-funded targets. They just need a single unpatched system and a bit of patience.

For organizations relying on open-source software like Roundcube, the burden of security falls squarely on the operator. The developer community can fix bugs, but they can’t force users to install updates. That gap—between disclosure and deployment—is where attackers live.

As geopolitical tensions continue to drive cyber espionage, universities should expect more of these targeted campaigns. The best defense remains the simplest: patch early, patch often, and assume someone is already trying to get in.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Armored Likho APT: A New Threat to Government and Electric Power Networks

Published

on

Armored Likho APT

A previously undocumented advanced persistent threat (APT) group has been quietly breaching government agencies and electric power providers across at least three countries. Dubbed Armored Likho APT by researchers at Kaspersky, the actor blends financial theft with espionage, using a flexible toolkit that evolves on the fly.

Armored Likho’s operations stretch from Russia to Brazil and Kazakhstan. The group targets both individuals, for monetary gain, and larger organizations, for intelligence. Its arsenal includes modular remote access trojans (RATs) and information stealers, most notably a Python-based payload Kaspersky tracks as BusySnake Stealer.

This isn’t a one-trick pony. The malware stack allows the attackers to maintain stealthy control over compromised machines, siphon credentials, and deploy additional modules tailored to each victim. Kaspersky’s analysis, published in early July 2026, details how the group achieves this with surprising agility.

How Armored Likho Gets In

The primary entry vector is spear-phishing. Emails carry archives containing executable files or LNK shortcuts. When a target opens the attachment, a decoy document appears on screen. Behind the scenes, the real payload installs silently.

One loader, injected directly into memory, was observed fetching additional archives from public GitHub repositories. Those repos held early development builds and test samples. Another method uses LNK files that pull down a full Python 3.12 interpreter and a malicious archive while displaying a fake document to the user.

BusySnake Stealer: The Core Weapon

The centerpiece of Armored Likho’s toolset is BusySnake Stealer, a Python-based infostealer packed with evasion tricks. It decrypts bytecode only when a specific function is called, then re-encrypts it immediately after execution. The process runs without a console window, keeping it out of sight.

BusySnake relies on multiple handlers for different tasks. These include clipboard theft, file enumeration, extraction of 64-character hexadecimal keys, document exfiltration, screenshot capture and archiving, persistence checks, and general command execution.

Commands from the C&C server can trigger a wide range of actions: capturing screenshots, exfiltrating logged keystrokes, decrypting stored passwords from Chromium-based and Firefox browsers, stealing cookies, scraping the machine for OTP keys, locating cryptocurrency wallets, harvesting Telegram sessions and credentials, establishing a reverse SSH tunnel, or even restarting RustDesk to capture user credentials.

From Go2Tunnel to Full Control

Earlier campaigns relied on a separate tool called Go2Tunnel to set up reverse SSH tunnels. Armored Likho has since folded that capability directly into BusySnake Stealer. The infostealer now provides persistent remote access and interactive control over the victim’s system without needing a secondary utility.

Overlap With Eagle Werewolf

Kaspersky notes that Armored Likho’s operations show overlap with a known hacking group called Eagle Werewolf. That group previously used a RAT named AquilaRAT, which shares structural similarities and persistence mechanisms with BusySnake Stealer. The connection suggests the same developers may be behind both toolkits.

The shift toward modular, Python-based malware is a trend worth watching. It gives attackers the flexibility to swap components quickly and evade signature-based detection. For defenders in the government and electric power sectors, this means staying ahead of an adversary that adapts its code as easily as it changes its targets.

As Armored Likho continues to refine its methods, organizations should prioritize email security, monitor for unusual GitHub repository access, and keep an eye out for the telltale signs of BusySnake Stealer deployment.

Continue Reading

CyberSecurity

Citrix NetScaler Memory Leak Under Active Attack — PoC Published

Published

on

Citrix NetScaler flaw

Another Citrix Flaw, Another Race to Patch

It didn’t take long. Just hours after security researchers published a working proof-of-concept exploit for a newly disclosed memory disclosure vulnerability in Citrix’s NetScaler products, attackers began scanning the internet for exposed appliances. The flaw, tracked as CVE-2023-4966 but already being called “CitrixBleed 2.0” by some in the infosec community, lets an unauthenticated attacker read sensitive memory contents — including session tokens and other credentials — from a vulnerable Citrix NetScaler ADC or Gateway appliance.

The timing is brutal. This comes just over a year after the original CitrixBleed vulnerability (CVE-2023-3519) was exploited en masse by ransomware groups. Now, defenders are once again scrambling to assess exposure and apply fixes before the damage spreads.

What the NetScaler Memory Leak Actually Exposes

This isn’t your run-of-the-mill denial-of-service bug. The vulnerability resides in the NetScaler’s handling of HTTP requests. By sending a specially crafted, unauthenticated request, an attacker can trick the appliance into disclosing chunks of its memory. That memory can contain session cookies, authentication tokens, and other sensitive data that would let an adversary hijack active user sessions or escalate privileges.

According to the advisory from Citrix’s security team, the flaw affects multiple versions of NetScaler ADC and NetScaler Gateway — both as standalone appliances and as cloud-delivered services. The company has released updated firmware builds for all supported versions. If your appliance is still on an unsupported version, you’re out of luck: no patch is coming.

PoC Goes Public, Exploitation Follows Immediately

What makes this incident particularly worrying is the speed of the response — from the attacker side. Researchers at Assetnote published a detailed write-up along with a proof-of-concept exploit on October 25. Within 24 hours, multiple threat intelligence firms reported a sharp uptick in scanning traffic targeting NetScaler management interfaces and gateway endpoints.

“We observed a significant increase in probes against port 443 on NetScaler IPs almost immediately after the PoC was released,” said one analyst who asked not to be named due to company policy. “Attackers are automating the exploit and incorporating it into their toolkits.”

The race is now on. For every organization that patches quickly, there’s another that drags its feet — and those are the ones that will get hit.

Who’s at Risk and What to Check Right Now

If your organization runs any of the following, you need to act immediately:

  • NetScaler ADC (formerly Citrix ADC) version 12.1, 13.0, 13.1, or 14.1
  • NetScaler Gateway (formerly Citrix Gateway) on the same versions
  • Citrix Cloud-managed NetScaler instances (patches are applied automatically by Citrix, but verify)

To check if you’ve already been compromised, look for unusual HTTP requests in your NetScaler access logs — specifically, requests with abnormally long headers or repeated patterns that suggest memory probing. Also inspect active sessions: if you see sessions that don’t match known user activity, rotate all credentials immediately.

This vulnerability is a close cousin of the CitrixBleed exploit from 2023, which was used by the LockBit and Clop ransomware gangs to breach hundreds of organizations. The same playbook applies here: patch now, audit later.

Patching and Mitigation: No Workarounds, Only Fixes

Citrix has confirmed there are no viable workarounds for this flaw. The only fix is to update to the patched versions listed in the security bulletin. If you cannot patch immediately, the company recommends restricting access to the NetScaler management interface to trusted IPs only — but that’s a Band-Aid, not a cure.

Here are the patched versions:

  • NetScaler ADC 14.1 build 4.13 and later
  • NetScaler ADC 13.1 build 51.15 and later
  • NetScaler ADC 13.0 build 92.21 and later
  • NetScaler ADC 12.1 build 55.302 and later (if still supported)

For organizations using NetScaler in high-availability pairs, Citrix recommends updating the secondary node first, then failing over and updating the primary. This minimizes downtime but should be done with caution — test the patch in a staging environment if possible.

Lessons from CitrixBleed: History Repeats Itself

The original CitrixBleed vulnerability taught the security community a painful lesson: attackers move faster than most IT teams. In 2023, the exploit was used in the wild for weeks before a patch was even available. This time, the patch came first — but the PoC followed almost immediately, and exploitation began within hours.

“The window between patch release and mass exploitation is shrinking,” said a senior incident responder at a major cybersecurity firm. “Organizations that treat patching as a quarterly task are going to get burned.”

The takeaway is stark: if you run NetScaler, drop everything and patch. If you don’t, you’re gambling with your network’s security — and the house always wins.

Continue Reading

CyberSecurity

Fake Job Offers From Big Brands Are Hijacking Marketers’ Google Accounts: Here’s How the Scam Works

Published

on

Big Brand Jobs Scam

A New Phishing Wave Hits Marketing Professionals

A sophisticated phishing campaign is making the rounds, and it has a very specific target: marketing professionals. The hook? Fake job offers from some of the world’s biggest brands. The goal? Stealing their Google accounts.

Security researchers have identified a sharp uptick in these attacks, which rely on a mix of social engineering and technical trickery to bypass even cautious users. If you work in marketing — or know someone who does — this is worth paying attention to.

How the Scam Unfolds

The attack starts with an email that looks legitimate. It appears to come from a recruiter at a well-known company — think Google, Amazon, or Meta. The subject line often mentions a job opening, a request for an interview, or an invitation to apply for a role that matches the target’s profile.

Curiosity gets the better of most victims. They click a link that supposedly leads to a job description or an application portal. But that’s where the trouble begins.

Nested Redirects: The Core Trick

Instead of taking the user straight to a phishing page, the link goes through a series of intermediate redirects. This technique, known as nested redirecting, makes it much harder for security scanners and email filters to detect the malicious destination. Each hop looks harmless on its own. By the time the user lands on a fake Google login page, the trail has gone cold.

The fake page is convincing. It mimics Google’s real sign-in interface, right down to the logo and the layout. The victim enters their email and password — and that’s it. The credentials are sent straight to the attackers.

Why Marketers Are Prime Targets

This isn’t random. Attackers are deliberately going after marketing professionals. Why? Because a marketing person’s Google account often holds the keys to the kingdom: Google Ads accounts, Google Analytics profiles, access to the company’s YouTube channel, and shared Google Drive documents filled with strategy and data.

One compromised account can give a criminal access to ad budgets, customer data, and internal communications. It’s a high-value target wrapped in a low-suspicion package — a job offer.

“Marketing teams are used to receiving unsolicited emails from recruiters. It’s part of the job,” says one cybersecurity analyst tracking the campaign. “That familiarity is exactly what the scammers are exploiting.”

Red Flags to Watch For

So how do you tell a real job pitch from a phishing attempt? Look for these signs.

  • Check the sender’s domain carefully. A recruiter from a big brand will use a corporate email address — not a Gmail address or a lookalike domain with a typo (e.g., amaz0n-careers.com).
  • Hover over links before clicking. See where they actually lead. If the URL looks strange or doesn’t match the company’s real website, don’t click.
  • Beware of urgency. Emails that pressure you to act quickly — “Apply within 24 hours!” — are a classic phishing tactic.
  • Never enter your Google credentials on a page you reached from an email link. Go directly to the company’s career page instead.

What to Do If You’ve Been Targeted

If you suspect you’ve clicked a malicious link, act fast. Change your Google password immediately. Enable two-factor authentication if you haven’t already — it’s the single best defense against credential theft.

Also check your Google Account’s recent activity and review any devices or apps that have access. Revoke anything you don’t recognize. If you use the same password on other sites, change those too. For more on staying safe, read our guide on how to spot phishing emails.

Report the phishing email to your company’s IT or security team. They can block the sender and warn others. You can also forward it to Google’s phishing reporting address: phishing@google.com.

The Bigger Picture

This campaign is a reminder that phishing isn’t just about fake bank alerts or Nigerian prince emails anymore. Attackers are getting smarter. They’re doing their homework, targeting specific roles, and using techniques like nested redirects to stay under the radar.

For marketing professionals, the lesson is simple: treat every unsolicited job offer with a healthy dose of skepticism. The promise of a dream role at a big brand could be the bait that costs you your account — and a lot more.

Continue Reading

Trending