Exploitation of Barracuda ESG appliances linked to Chinese spies

Cyber security researchers at Google Cloud’s Mandiant have linked exploitation of a zero-day vulnerability existing in a limited subset of Barracuda Email Security Gateway (ESG) appliances to a previously untracked China-nexus threat actor, to which it has now assigned the designation UNC4841.

CVE-2023-2968 was disclosed in May 2023, but was likely exploited from October 2022 onwards. It is a remote command injection vulnerability leading to remote code execution (RCE) with elevated privileges, present in a limited number of ESG appliances with version numbers 5.1.3.001 through 9.2.0.006. Since disclosure, it has unfortunately emerged that Barracuda’s patch had not fully addressed the issue, with the result that owners of the affected hardware have been advised to obtain a replacement.

Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, said that the Chinese campaign had been wide-ranging.

“This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021,” said Carmakal.

“In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organisations. For a subset of victims, they stole the emails of prominent employees dealing in matters of interest to the Chinese government,” he added.

According to Mandiant’s research team – which on this engagement comprised Austin Larsen, John Palmisano, Mathew Potaczek, John Wolfram, Nino Isakovic and Matthew McWhirt – UNC4841 is a state-backed actor working in support of the intelligence objectives of the Chinese government.

Its infrastructure has been found to contain several points of overlap with that attributed to other Chinese espionage actors – the team suspects this indicates that Beijing is taking a joined-up approach to its IT procurement.

It has been observed “aggressively” targeting data of interest for exfiltration at public and private sector bodies in 16 countries, with approximately a third of victims identified by Mandiant as government agencies. In particular, UNC4841 seems to be interested in the foreign affairs ministries of ASEAN members, and foreign trade offices and academic research organisations in Hong Kong and Taiwan.

The phishing emails it used to gain access were laced with specially crafted TAR attachments, and the emails themselves generally contained generic email subject and body text lures, in some cases with placeholder values. Mandiant said this was likely done so that the emails would appear as generic spam to their victim systems, and dissuade security analysts from investigating them.

During the course of the seven-month campaign, UNC4841 used three code families – dubbed Saltwater, Seaspy and Seaside – all of which to some degree attempted to masquerade as Barracuda ESG modules or services .

This trend is ongoing, said Mandiant, and since Barracuda’s initial disclosure, UNC4841 has been hard at work modifying some of the components of Saltwater and Seaspy to prevent effective patching. It has also introduced a new rootkit in the form of a trojanised network file system kernel module for Linux, dubbed Sandbar. It has also trojanised some legitimate Barracuda Lua modules that are being tracked as Seaspray and Skipjack.

“UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations. Mandiant strongly recommends impacted Barracuda customers continue to hunt for this actor and investigate affected networks,” the team said.

“We expect UNC4841 will continue to alter their TTPs and modify their toolkit, especially as network defenders continue to take action against this adversary and their activity is further exposed by the infosec community.

They added: “Mandiant commends Barracuda for their decisive actions, transparency, and information sharing following the exploitation of CVE-2023-2868 by UNC4841. The response to the exploitation of this vulnerability by UNC4841 and subsequent investigation necessitated collaboration between Mandiant, Barracuda, and multiple government and intelligence partners.

“Mandiant was enabled by expertise of Barracuda engineers who provided invaluable product specific knowledge as well as telemetry data from the full fleet of ESG appliances. The data provided by Barracuda enabled Mandiant to understand the full scope, investigate at scale, as well as monitor subsequent attacker activity.”

A Barracuda spokesperson said: “As of June 8 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability. Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.

“We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the user interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident. 

“Barracuda’s guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance.

“If a customer received the user interface notification or has been contacted by a Barracuda technical support representative, the customer should contact [email protected] to replace the ESG appliance. Barracuda is providing the replacement product to impacted customer at no cost,” they said. 

“Barracuda engaged and continues to work closely with Mandiant, leading global cyber security experts, in this ongoing investigation.”