Chinese nation-state actor behind Barracuda ESG attacks

Mandiant attributed the recent exploitation of a zero-day vulnerability in Barracuda's Email Security Gateway appliances to an espionage actor supporting the Chinese government.

In a blog post Thursday, Mandiant provided additional information about an ongoing investigation into exploitation of a zero-day vulnerability, tracked as CVE-2023-2868, in Barracuda ESG appliances that was disclosed last month. Based on several infrastructure and malware code overlaps, Mandiant assessed with high confidence that the Chinese nation-state actor it named "UNC4841" is behind what it attributed as cyberespionage attacks.

While Mandiant confirmed that exploitation of CVE-2023-2868 began as early as October, the investigation determined that UNC4841 threat actors were most active between May 22 and May 24 and targeted "a number of victims located in at least 16 different countries."

"Overall, Mandiant identified that this campaign has impacted organizations across the public and private sectors worldwide, with almost a third being government agencies," Mandiant wrote in the blog post.

Mandiant's report also shed light on why the two patches Barracuda released last month were insufficient, forcing the vendor to advise customers to replace compromised ESG appliances. An initial patch was available on May 20, followed by an additional fix on May 21, but the threat actor responded swiftly with changes to its custom malware.

Mandiant said that between May 21 and 23, "UNC4841 quickly made modifications to both SEASPY and SALTWATER related components in order to prevent effective patching." Seaspy and Saltwater were two of the three malware code families Mandiant observed during the attacks, along with a third family called Seaside. Threat actors leveraged the three to "masquerade as legitimate Barracuda ESG modules or services."

Austin Larsen, senior incident response consultant at Mandiant, part of Google Cloud, expanded on the patch issues in an email to TechTarget Editorial. UNC4841 was able to retain access regardless of patches and firmware updates because it is a fairly sophisticated and aggressive threat actor, he said.

"In response to Barracuda's initial remediation actions, UNC4841 displayed an interest in and commitment to maintaining persistent access to the subset of compromised appliances. Due to the sophistication displayed by UNC4841 and lack of full visibility into all compromised appliances, Barracuda has elected to replace and not reimage the appliance from the recovery partition out of an abundance of caution," Larsen said.

One way threat actors maintained persistence, according to the blog, was executing Seaspy by inserting a command into the update_version Perl script executed by the appliance. Larsen attributed UNC4841's ability to modify the script to the access it gained through the successful exploitation of CVE-2023-2868. He added that Mandiant and Barracuda have not identified successful exploitation of CVE-2023-2868 since the release of the May 20 patch.

Another way threat actors maintained persistence and circumvented the patching efforts started with the reverse shells they established by using domains rather than IP addresses. Subsequently, they leveraged the reverse shells through hourly and daily cron jobs on compromised devices. Mandiant also observed UNC4841 deploying a kernel rootkit it dubbed "Sandbar," which executed during devices' startup.

TechTarget Editorial also contacted Barracuda for additional insight into why the patches and firmware updates were ineffective. The vendor provided a statement similar to previous ones, with one addition.

"Barracuda partnered closely with Mandiant and its government partners to investigate the exploit behavior and malware. Mandiant identified the suspected China-nexus actor, currently tracked as UNC4841, and assesses with high confidence that the group is working in support of the People's Republic of China," the statement read.