FBI: Suspected Chinese actors continue Barracuda ESG attacks

Threat actors allegedly connected to the People's Republic of China continue to exploit a zero-day vulnerability in Barracuda Network's Email Security Gateway appliance that was disclosed in May, according to the FBI.

The remote command injection vulnerability, tracked as CVE-2023-2868, is a critical flaw that affects Barracuda's Email Security Gateway (ESG) appliance versions 5.1.3.001-9.2.0.00. Barracuda discovered the flaw on May 19 and released patches on May 20 and 21, but in June, the vendor announced fixes were insufficient.

In a Flash alert published Wednesday, the FBI echoed Barracuda's warning and urged customers to remove all ESG appliances "immediately" as threat actors suspected to be affiliated with China continue their campaign.

"As part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda's Network Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda remain at risk for continue computer network compromise from suspected PRC cyber actors exploiting this vulnerability," the FBI wrote in the alert.

The vulnerability is especially dangerous because it exists in the scanning process and, as such, the alert warned, emails only need to be read by the ESG appliance to trigger the flaw.

During the investigation, the FBI uncovered indicators of compromises (IOCs) and observed threat actors leveraging CVE-2023-2868 to insert malicious payloads onto the ESG appliances. Threat actors have used the flaw to enable persistent access, email scanning, credential harvesting and "aggressively targeted specific data for exfiltration." However, the attackers were adept at hiding their trails using "counter-forensic techniques," which makes detections based on IOCs difficult for enterprises.

"As a result, it is imperative that networks scan various network logs for connections to any of the listed indicators," the alert said.

Because attacks are ongoing, the FBI said it considers all affected ESG Barracuda appliances to be compromised and vulnerable to this exploit. Like Barracuda's June action notice, the FBI concluded that patches released by Barracuda were ineffective and appliances must be replaced.

In addition to isolating and replacing all affected ESG appliances immediately, the FBI also urged enterprises to scan networks for IOCs related to the ongoing activity. The agency also recommended potentially affected customers review email logs, revoke and rotate credentials, revoke and reissue certificates, and review network logs for signs of data exfiltration or lateral movement.

Barracuda told TechTarget Editorial its recommendation that affected customers replace their compromised appliances remains consistent.

"If a customer received the User Interface notification or has been contacted by a Barracuda technical support representative, the customer should contact support to replace the ESG appliance. Barracuda is providing the replacement product to impacted customers at no cost," Barracuda said. "We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time."

Barracuda added that "only a subset of ESG appliances were impacted by this incident."

However, the FBI said its investigation revealed attackers exploited the vulnerability in a "significant" number of ESG appliances.

Back in May when CVE-2023-2868 exploitation was initially discovered, Barracuda engaged Mandiant for its investigation. In June, the security vendor attributed ESG attacks to a threat actor supporting the Chinese government tracked as UNC4841.

Additionally, Mandiant provided an attack scope. The security vendor observed the campaign affected public and private sectors worldwide, with almost a third of the victims being government agencies.

A Mandiant spokesperson shared a statement from Kevin Mandia, Mandiant CEO at Google Cloud, in which he said the FBI alert reinforces Mandiant's attribution and provides more in-depth defense recommendations.

"Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide," Mandia said. "These types of attacks underscore a major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-up espionage operations."

Arielle Waldman is a Boston-based reporter covering enterprise security news.