UNC4841 threat actors hacked US government email servers exploiting Barracuda ESG flaw
August 29, 2023
China-linked threat actors breached government organizations worldwide with attacks exploiting Barracuda ESG zero-day.
In June, Mandiant researchers linked the threat actor UNC4841 to the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.
“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” reads the report published by Mandiant. “Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.”
At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.
The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.
The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue.
The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.
On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers.
As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least.
“Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” reads the update provided by the company.
Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.
The company confirmed that the CVE-2023-2868 was first exploited in October 2022.
The families of malware employed in the attacks are:
- SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
- SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
- SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.
In June, the company published a new statement urging customers to immediately replace the ESG appliances, regardless of patch version level.
According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances.
Once compromised the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances.
Most of the attacks observed by Mandiant targeted Americas (55%), followed by EMEA (24%), and APAC (22%). Almost one out of three affected organizations were government agencies, a circumstance that suggests that the attacks were carried out as part of a cyber espionage campaign.
At the end of July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert on a malware variant, tracked as SUBMARINE Backdoor, that was employed in attacks exploiting the flaw CVE-2023-2868 in Barracuda Email Security Gateway (ESG) appliances.
In August, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) observed a new backdoor, named Whirlpool, in attacks on Barracuda ESG appliances.
Since the initial report published by Mandiant in June, the researchers have assembled an exhaustive timeline of all identified UNC4841 activity related to the exploitation of CVE-2023-2868.
The activity was temporarily suspended from approximately January 20 to January 22, 2023, which coincides with the beginning of the Chinese New Year.
After Barracuda’s initial remediation efforts and public notification on May 23, 2023, Mandiant also identified two surges in activity. The first surge occurred shortly after the notification when the attackers retooled malware and used different methods to maintain persistence.
In a second, previously undisclosed, wave that began in early June 2023 Mandiant researchers observed the state-sponsored hackers deploying new malware families such as SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE, to maintain access to compromised environments.
“This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841’s determination in preserving access to specific victim environments.” states the new report published by Mandiant.
The researchers explained that the threat actors were prepared to respond to Barracuda’s initial notification, and the deployment of DEPTHCHARGE on May 30, 2023 demonstrates it.
“Mandiant observed UNC4841 rapidly deploy DEPTHCHARGE to select targets following Barracuda’s announcement that RMA was the recommended response action. This capability and its deployment suggests that UNC4841 anticipated and was prepared for remediation efforts with tooling and TTPs designed to enable them to persist on high value targets.” continues the report. “It also suggests that despite this operation’s global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks.”
After the Barracuda’s public disclosure of CVE-2023-2868, Mandiant experts observed the UNC4841 group performing internal reconnaissance and lateral movement actions within the networks of a limited number of victims.
“In more than one case, Mandiant observed UNC4841 utilizing OWA to attempt to log in to mailboxes for users within the victim organization. In one case, a relatively low number of unsuccessful OWA access attempts resulted in the lockout of a limited number of accounts.” continues the report. “In the cases where UNC4841 was able to obtain unauthorized access to a limited number of accounts, Mandiant did not observe UNC4841 send any email from the compromised account.”
The attackers also observed attempts to move laterally via SSH to VPNs, Proxy Servers, and other edge appliances on the target networks.
“Mandiant strongly recommends impacted Barracuda customers continue to hunt for UNC4841 activity within networks impacted by a compromised ESG. Due to their demonstrated sophistication and proven desire to maintain access, Mandiant expects UNC4841 to continue to alter their TTPs and modify their toolkit as network defenders continue to take action against this adversary, and their activity is further exposed by the security community.” concludes the report. “Mandiant anticipates UNC4841 will continue to edge devices in the future. In order to aid in the hunting UNC4841 activity, IOCs and detection rules can be found in the sections that follow.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Barracuda ESG)