Majority of Internet-Accessible REDCap Servers Running Outdated Versions, Targeted by Chinese Threat Actor UNC6508
A majority of internet-accessible REDCap servers are running outdated software, leaving them vulnerable to exploitation by the China-linked threat actor UNC6508 for initial access and backdoor deployment.
A new analysis has revealed that a majority of internet-accessible REDCap servers are running outdated versions, exposing them to exploitation by threat actors. REDCap (Research Electronic Data Capture) is a widely used electronic data capture tool in academic and healthcare research, making unpatched instances a significant supply-chain risk.
The servers are actively targeted by the China-linked threat actor UNC6508, which uses them for initial access and backdoor deployment. This group has been observed exploiting vulnerabilities in REDCap to gain a foothold in networks, often leading to data exfiltration and lateral movement.
REDCap is a web-based application developed by Vanderbilt University, used by over 4,500 institutions worldwide for clinical research and data collection. Its widespread adoption in sensitive environments, including hospitals and universities, makes it an attractive target for espionage and data theft.
The analysis found that many REDCap servers are running versions that are several years old, lacking critical security patches. This is partly due to the complexity of updating the software, which often requires custom configurations and integrations with other systems.
UNC6508 has been linked to multiple campaigns targeting healthcare and academic institutions, using REDCap as a stepping stone to access more sensitive data. The group's tactics include exploiting known vulnerabilities, using stolen credentials, and deploying custom backdoors.
Organizations are urged to update their REDCap installations to the latest version and apply security patches promptly. Additionally, implementing network segmentation, multi-factor authentication, and monitoring for suspicious activity can help mitigate the risk of exploitation.
The findings highlight the ongoing challenge of securing widely used research tools that may not be prioritized for security updates. As threat actors continue to target these systems, proactive vulnerability management is essential to protect sensitive research data.