An unidentified espionage-focused threat actor linked to China is believed to be behind the recently discovered spate of zero-day attacks on Barracuda Networks’ Email Security Gateway appliances around the world.
Barracuda has estimated about 5% of its ESG appliances worldwide have been impacted by the critical vulnerability (tracked as CVE-2023-2868) which it discovered and patched last month.
The remote command injection attack was serious enough that the vendor last week took the unusual step of telling customers they should immediately replace all affected appliances.
Mandiant was hired by Barracuda to investigate the vulnerability and in a blog post published today, they described the attacks as a wide-ranging campaign in support of China, carried out by an unidentified espionage actor they are tracking as UNC4841.
“While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation,” wrote researchers Austin Larsen, John Palmisano, Mathew Potaczek, John Wolfram, Nino Isakovic and Matthew McWhirt.
Espionage focused on issues affecting China
Data has been exfiltrated from some of the compromised ESGs and Mandiant has observed the “targeted collection” of email data relating to specific individuals and organizations. Targets have included Asian and European government officials based in Southeast Asia, as well as academics in Taiwan and Hong Kong.
“Additionally, the targeting, both at the organizational and individual account levels, focused on issues that are high policy priorities for the PRC [People’s Republic of China], particularly in the Asia Pacific region including Taiwan.”
Mandiant said almost a third of the known victims of the attacks were government agencies and it was working with “multiple government and intelligence partners” alongside Barracuda to investigate and respond to the exploitation. The Australian Capital Territory Government, which includes the headquarters of the nation’s defense, security, intelligence, diplomatic and other agencies within its boundaries, said last week it had been compromised and there was a “strong likelihood” data had been stolen.
“Targeted organizations have spanned public and private sectors worldwide. A majority of exploitation activity appears to impact the Americas; however, that may partially reflect the product’s customer base,” the researchers said.
Flexible TTPs and lots of malware
Other notable aspects of the attack include UNC4841 achieving lateral movement through victims’ networks after they gain access to the ESG, and sending emails from compromised appliances to ESGs in another victim organizations.
After the zero-day vulnerability was discovered, the hacking group demonstrated an ability to alter its tactics, techniques and procedures (TTPs) in response to Barracuda’s remediation efforts, Mandiant said.
Barracuda began releasing patches for the vulnerability on May 21 and the following day the threat actor began amending its malware and adding persistence mechanisms to maintain access. Between May 22 and 24 it mounted “high frequency operations targeting a number of victims located in at least 16 different countries,” Mandiant said.
“We expect UNC4841 will continue to alter their TTPs and modify their toolkit, especially as network defenders continue to take action against this adversary and their activity is further exposed by the infosec community.”
Barracuda has previous outlined three families of malware identified in the intrusions: SaltWater, SeaSpy and Seaside, all masquerading as legitimate ESG modules or services. In its post, Mandiant identified four more: Sandbar, a trojanized network file system kernel module for Linux; SeaSpray, a Lua launcher that is a trojanized ESG module; Whirlpool, a C-based utility used to create a Transport Layer Security reverse shell; and SkipJack, a trojanized ESG module that processes emails.
Group exploited spam filters to hide malicious emails
Mandiant said because the command injection vulnerability related to the parsing logic for the processing of TAR (tape archive) files, the threat actor gained access to appliances as early as October 2022 by sending emails with specially crafted TAR attachments.
The attachments were formatted in such a way that they triggered a command injection attack that enabled the threat actors to remotely execute system commands with the privileges of the ESG, the researchers said.
“UNC4841 likely crafted the body and subject of the [malicious emails] to appear as generic spam in order to be flagged by spam filters or dissuade security analysts from performing a full investigation. Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past.”
Mandiant said affected ESG users should follow Barracuda’s guidance, including replacing compromised appliances, regardless of patch level, and perform investigation and hunting activities within their networks.
“UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations. Mandiant strongly recommends impacted Barracuda customers continue to hunt for this actor and investigate affected networks.”