Headline
Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT
A PRC-aligned actor used a trio of custom malware to take advantage of inherent weaknesses in edge appliances.
Researchers say the recent compromise of Barracuda Networks email security gateways (ESGs) was carried out by a newly discovered Chinese APT, which used three different backdoors to exploit security failings endemic to edge devices.
According to Barracuda’s timeline, on May 18, the company was alerted to anomalous traffic coming from some of its ESGs. The following day, in collaboration with security company Mandiant, it discovered a zero-day vulnerability — CVE-2023-2868 — since assigned a score of 9.8 out of 10 on the CVSS vulnerability severity scale, making it critical-rated.
In multiple statements provided to Dark Reading, Barracuda has indicated that around 5% of active ESG devices worldwide have shown evidence of compromise. The company has a global footprint, with market-share watchers pegging it as claiming around a fifth of the ESG market, with clients that include CVS Health, IBM, and McKesson.
Now, in a report published Thursday, June 15, Mandiant has connected the campaign to a novel APT it’s tracking as UNC4841, assessing “with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.”
A full third of UNC4841’s targets have been government organizations, and more than half are in the Americas — though “that may partially reflect the product’s customer base,” the researchers qualified. In many cases, the hackers collected email data not just from specific targets, but individual targets, including government officials and academics in Southeast Asia.
“They’re definitely very competent,” says Ben Read, Mandiant’s senior manager of cyber espionage analysis, Google Cloud. “To find a vulnerability and exploit it in the ways that they have demonstrates an understanding that would have taken a lot of time and expertise to figure out. They definitely have significant funds.”
UNC4841’s Many Backdoors
UNC4841’s attacks began with rudimentary phishing emails containing generic messages and broken grammar. Attached to the emails, however, were malicious tape archive (TAR) files which, when opened, exploited CVE-2023-2868, allowing the attackers to remotely execute code on target machines.
A sample UNC4841 phishing email. Source: Mandiant
Now in control of the privileges afforded to Barracuda ESGs, the attackers deployed three separate backdoors — SALTWATER, SEASPY, and SEASIDE — which each attempted to masquerade as legitimate ESG modules and services.
These backdoors “do have different capabilities, but overlap in terms of allowing for command-and-control (C2) communication to the device,” explains Austin Larsen, Mandiant senior incident response consultant, Google Cloud. As he sees it, having three backdoors is a form of fault tolerance: “The actor is shown a pretty intense desire to maintain access to these devices, by establishing redundancy through multiple backdoors.”
Even after its backdoors were discovered and addressed, “the threat actor reacted very quickly to any actions taken by Barracuda and Mandiant,” Larsen says. “They wanted to maintain persistence and access to these devices for as long as possible.”
Together, this may explain why, even after Barracuda released a series of security patches, UNC4841’s malicious activity remained ongoing. Beginning May 31, to finally rid the attackers from the appliances, the company offered to outright replace all affected ESGs at no cost to customers.
What to Do About Edge Appliances
Larsen points out that it’s not just ESGs — edge appliances in general aren’t secure enough.
“The threat that it poses is that network defenders typically don’t have visibility into the underlying operating system, and so your traditional countermeasures — like EDR solutions for detection — typically don’t run on these appliances,” he explains. "And so, actors have realized that it’s a great place to operate from, because they can typically avoid detection.”
The issues with edge appliances only mount from there. “They live on the edge of networks, so they’re typically exposed in some way to the Internet and a lot of appliances are in a legacy phase at this point,” he adds. “And so we’re seeing that these appliances aren’t quite getting the same level of attention as some more modern products and solutions, in terms of security.”
But even if edge appliances themselves are vulnerable, with proper segmentation, the networks they’re connected to don’t have to be.
“We did identify this specific threat actor attempting to move laterally from the edge devices post-exploitation,” Larsen notes. “Had these devices been in an unprivileged segment of the network, that may have prevented some of that lateral movement.”
Related news
Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices. Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the
A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as "highly responsive to
Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda ESG Tags: CVE-2023-2868 Tags: SEASPY Tags: SUBMARINE Tags: WHIRLPOOL The FBI repeats the warning by Barracuda that all ESG appliances should immediately be replaced because the patch was ineffective. (Read more...) The post FBI confirms Barracuda patch is not effective for exploited ESG appliances appeared first on Malwarebytes Labs.
The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also deemed the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG
Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda Tags: ESG Tags: CVE-2023-2868 Tags: SUBMARINE Tags: SEASPY Tags: shell CISA has released three reports based on the analysis of backdoors planted on compromised Barracuda ESG appliances (Read more...) The post Compromised Barracuda appliances equipped with persistent backdoors by attackers appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022. "UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," Google-owned Mandiant said in a new report published today, describing the group as "
It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware -- as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.
Enterprise security company Barracuda is now urging customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company said in an update, adding its "remediation recommendation at this time is full replacement of the
Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices. The latest findings show that the critical vulnerability, tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery.
Categories: Exploits and vulnerabilities Categories: News Barracuda Networks issued a patch for a zero-day vulnerability in its Email Security Gateway that was actively being exploited (Read more...) The post Barracuda Networks patches zero-day vulnerability in Email Security Gateway appeared first on Malwarebytes Labs.
Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company's Email Security Gateway (ESG) appliances. The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. The California-headquartered firm
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.