Barracuda email security gateway devices were hit by a cyber espionage campaign from a China-nexus threat group that bypassed remediation efforts and continued unleashing attacks against high value targets, according to research Mandiant released Tuesday.
The threat group, listed as UNC4841, deployed sophisticated malware designed to maintain a presence inside a subset of certain high priority target organizations even after security updates were released for the Barracuda devices.
Barracuda and Mandiant said they have seen no evidence of a successful exploit of the remote command injection vulnerability, CVE-2023-2868, since Barracuda released a patch on May 20.
Barracuda CISO Riaz Lakhani told Cybersecurity Dive that the patch fully addressed the zero-day vulnerability, and compromised appliances were given additional patches to address the actions of the threat actor.
“Out of an abundance of caution, Barracuda’s recommended remediation for any compromised appliance is replacement,” Lakhani said via email, noting that compromised customers were told to contact the company’s support line.
In June, Mandiant disclosed the hackers were involved in a massive cyber espionage campaign, where they leveraged the devices to send malicious email attachments to targeted government offices in the U.S. and abroad and private sector companies.
Mandiant said many of the government targets in North America include state and local governments, judiciaries, law enforcement agencies, social services and several incorporated towns. Most of the observed compromises took place during the early months of the campaign, from October to December 2022.
The FBI issued a flash alert in late August warning users to isolate and replace affected Barracuda ESG devices, saying that hackers affiliated with the People’s Republic of China were continuing to exploit the devices.
According to Mandiant, a limited set of high-value targets are still at risk of compromise because the malware was designed to maintain persistence inside the system of targeted companies, government agencies or other organizations even after remediation efforts began.
“Many of the malware families used in this campaign were specifically designed for Barracuda ESG appliances, which demonstrates the actor prepared and adapted their malware specifically for this campaign,” Austin Larsen, senior incident response consultant at Mandiant, a unit of Google Cloud, said via email.
The threat group deployed a passive backdoor malware that Mandiant calls Depthcharge as early as May 30, about a week after Barracuda disclosed the actively exploited zero-day vulnerability and notified customers of remediation efforts to counter the attacks.
Depthcharge was found on about 2.6% of compromised devices, according to Mandiant. The targets included U.S. and foreign government entities, tech firms and IT providers.
Mandiant identified additional malware, including Skipjack, a passive backdoor that involves injecting malicious Lua code into legitimate ESG modules. Skipjack was found in 5.8% of compromised devices, according to Mandiant.
The third malware family, Foxtrot/Foxglove, is notable because it was not designed specifically for Barracuda ESG devices. The malware was selectively used in government or government-related organizations considered high value targets by the PRC.
The Cybersecurity and Infrastructure Security Agency released additional information on the attacks, including new indicators of compromise on Tuesday.