Dive Brief:
- A suspected threat actor affiliated with China is exploiting a subset of compromised Barracuda Email Security Gateway SG devices to launch a widespread espionage campaign in support of the People’s Republic of China, according to a report released Thursday by Mandiant.
- The threat actor, tracked as UNC4841, has been sending emails with malicious attachments since October 2022, in order to exploit the zero-day vulnerability disclosed in May. The hackers used a variety of custom malware to maintain a presence in targeted systems, and most of the exploitation taking place in the Americas.
- “This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in 2021,” Charles Carmakal, CTO of Mandiant Consulting, Google Cloud said in a statement. “In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations.”
Dive Insight:
Barracuda retained Mandiant to investigate in May after it disclosed that a zero day, tracked as CVE-2023-2868, had been under active exploitation since October. Barracuda issued multiple security patches for the remote command injection vulnerability and just last week urged customers to replace the compromised devices.
About 5% of Barracuda ESG devices worldwide have shown signs of compromise. There is no evidence of successful exploitation after the company released a patch on May 20, according to Austin Larsen, Mandiant senior incident response consultant, Google Cloud.
Mandiant researchers said the threat actor relied on three principal code families — identified as Saltwater, Seaspy and Seaside — to maintain a presence on the devices. The code families were used to masquerade as legitimate ESG devices. The initial emails in October used specially crafted TAR file attachments.
The threat actor was seen targeting specific data for exfiltration, in some cases leveraging access on an ESG appliance to move laterally into a network or send mail to other appliances.
After Barracuda released patches on May 21, the hackers began altering the malware and took additional measures to maintain persistence. From May 22 through May 24, the group stepped up operations to target organizations in 16 different countries, with one-third of those being government organizations, according to the Mandiant report.
About 55% of the exploitation activity was in the Americas, where Barracuda devices are widely deployed. The compromised ESGs were used to target individuals in the ASEAN Ministry of Foreign Affairs, foreign trade offices and academic research organizations in Taiwan and Hong Kong.
The Cybersecurity and Infrastructure Security Agency is urging organizations to review an updated Barracuda advisory and for all impacted users to hunt for indicators of compromise and to follow mitigation steps.
For those using enterprise privileged credentials, such as Active Directory Domain Admin, to manage their Barracuda devices, CISA is urging users to validate the behavior of any credentials being used on their devices.
Barracuda said it is providing the replacement product at no cost and is committed to providing transparency around the incident.
Editor’s note: This article has been updated to reflect how many of those targeted organizations are government organizations.