Headline
Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022. “UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China,” Google-owned Mandiant said in a new report published today, describing the group as "
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022.
“UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China,” Google-owned Mandiant said in a new report published today, describing the group as “aggressive and skilled.”
The flaw in question is CVE-2023-2868 (CVSS score: 9.8), which relates to a remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that arises as a result of an incomplete validation of attachments contained within incoming emails.
Barracuda addressed the problem on May 20 and 21, 2023, but the company has since urged affected customers to immediately replace the devices “regardless of patch version level.”
Now according to the incident response and threat intelligence firm, which was appointed to probe the hack, UNC4841 is said to have sent emails to victim organizations containing malicious TAR file attachments that were designed to exploit the bug as early as October 10, 2022.
These email messages contained generic lures with poor grammar and, in some cases, placeholder values, a tactic deliberately chosen to disguise the communications as spam.
The goal, it noted, was to execute a reverse shell payload on the targeted ESG devices and deliver three different malware strains – SALTWATER, SEASIDE, and SEASPY – in order to establish persistence and execute arbitrary commands, while masquerading them as legitimate Barracuda ESG modules or services.
Also deployed by the adversary is a kernel rootkit named SANDBAR that’s configured to conceal processes that begin with a specified name as well as trojanized versions of two different valid Barracuda Lua modules -
- SEASPRAY - A launcher for screening incoming email attachments with a particular filename and runs an external C-based utility dubbed WHIRLPOOL to create a TLS reverse shell
- SKIPJACK - A passive implant that listens for incoming email headers and subjects and executes the content present in “Content-ID” header field
Source code overlaps have been identified between SEASPY and a publicly available backdoor referred to as cd00r and also between SANDBAR and an open-source rootkit, suggesting that the actor repurposed existing tools to orchestrate the intrusions.
UPCOMING WEBINAR
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join the Session
UNC4841 has all the hallmarks of a persistent actor, given its ability to swiftly alter its malware and employ additional persistence mechanisms as Barracuda initiated containment efforts after discovering the activity on May 19, 2023.
In some instances, the threat actor was observed leveraging access to a compromised ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances. Data exfiltration entailed the capture of email related data in a subset of cases.
The high frequency attacks, Mandiant said, targeted an unspecified number of private and public sector organizations located in at least 16 countries, with almost a third being government entities. 55% of the impacted organizations are located in the Americas, followed by 24% in EMEA and 22% in the Asia-Pacific region.
“UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations,” Mandiant said, adding it expects the actors to “alter their TTPs and modify their toolkit.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices. Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the
A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as "highly responsive to
Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda ESG Tags: CVE-2023-2868 Tags: SEASPY Tags: SUBMARINE Tags: WHIRLPOOL The FBI repeats the warning by Barracuda that all ESG appliances should immediately be replaced because the patch was ineffective. (Read more...) The post FBI confirms Barracuda patch is not effective for exploited ESG appliances appeared first on Malwarebytes Labs.
The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also deemed the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG
Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda Tags: ESG Tags: CVE-2023-2868 Tags: SUBMARINE Tags: SEASPY Tags: shell CISA has released three reports based on the analysis of backdoors planted on compromised Barracuda ESG appliances (Read more...) The post Compromised Barracuda appliances equipped with persistent backdoors by attackers appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable
A PRC-aligned actor used a trio of custom malware to take advantage of inherent weaknesses in edge appliances.
It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware -- as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.
Enterprise security company Barracuda is now urging customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company said in an update, adding its "remediation recommendation at this time is full replacement of the
Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices. The latest findings show that the critical vulnerability, tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery.
Categories: Exploits and vulnerabilities Categories: News Barracuda Networks issued a patch for a zero-day vulnerability in its Email Security Gateway that was actively being exploited (Read more...) The post Barracuda Networks patches zero-day vulnerability in Email Security Gateway appeared first on Malwarebytes Labs.
Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company's Email Security Gateway (ESG) appliances. The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. The California-headquartered firm
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.