A recent series of attacks exploiting a zero-day vulnerability in Barracuda Networks email security appliances has been attributed to the Chinese cyberespionage group UNC4841.
Barracuda discovered the attacks in May and enlisted the assistance of Mandiant, now owned by Google Cloud, for the investigation.
Key Takeaways to Barracuda Zero-Day Attacks:
- Chinese cyberespionage group UNC4841 attributed to recent Barracuda zero-day attacks.
- The attacks targeted the email security appliances of hundreds of organizations.
- Multiple custom backdoors and trojanized modules were used by the attackers.
Chinese Cyberespionage Group UNC4841 Behind Barracuda Zero-Day Attacks
The campaign, identified as the most extensive cyber espionage operation conducted by a China-associated threat actor since the mass exploitation of Microsoft Exchange in 2021, targeted the email security appliances of numerous organizations.
Zero-Day Exploitation and Malware Deployment
The zero-day vulnerability, designated CVE-2023-2868, affected Barracuda Email Security Gateway (ESG) and specifically targeted the module responsible for initial email attachment screening.
The attackers leveraged this vulnerability to execute remote command injections by sending specially crafted TAR file attachments via email. Mandiant observed that the hackers utilized poorly-written emails disguised as generic spam to evade detection and dissuade thorough investigations by security analysts.
This tactic is commonly employed by advanced groups exploiting zero-day vulnerabilities.
During the attacks, the cyberspies exploited CVE-2023-2868 to gain initial access to Barracuda appliances. They then executed a reverse shell and downloaded custom backdoor malware onto the compromised devices.
Three primary custom backdoors, named SeaSpy, SaltWater, and SeaSide, were identified. These malware variants facilitated communication with command-and-control (C&C) servers, file downloading and execution, command execution, and proxying capabilities.
The attackers also deployed a rootkit named SandBar to conceal the SeaSpy malware. Additionally, trojanized versions of legitimate Barracuda LUA modules, known as SeaSpray and SkipJack, were utilized.
Impact and Response
Following the discovery of the attacks, Barracuda advised affected customers to replace compromised appliances, indicating that the deployed patches were insufficient for full protection.
Mandiant observed that the attackers modified their malware and implemented additional persistence mechanisms in response to Barracuda’s actions, aiming to counteract the remediation efforts.
UNC4841 targeted various victims globally, including government officials in Europe and Asia, high-profile academics, and organizations such as the Ministry of Foreign Affairs of the Association of Southeast Asian Nations (ASEAN).
Victim Profiles and Geographic Distribution
More than a quarter of the victims were government organizations, with targets encompassing entities of political or strategic interest to China.
The impacted organizations were predominantly located in the Americas, which aligns with the widespread use of Barracuda appliances in this region. The remaining victims were distributed across the APAC and EMEA regions.
Furthermore, technical evidence, including email origins, the use of specific mail clients, and overlaps in infrastructure and malware code previously associated with Chinese cyber spies, provided additional indications linking the attacks to China.
Conclusion:
The Barracuda zero-day attacks attributed to the Chinese cyberespionage group UNC4841 highlight the group’s sophisticated capabilities and targeting of email security appliances.
The extensive campaign affected numerous organizations worldwide, with a particular focus on government entities and those of strategic interest to China. The utilization of custom backdoors, trojanized modules, and continuous adaptation to counter-remediation efforts underscore the persistent nature of these cyber espionage operations.
Organizations must remain vigilant, implement robust security measures, and stay updated with the latest patches to mitigate the risks posed by such advanced threat actors.
