Chinese cyber spies are suspected of exploiting a software vulnerability in Barracuda Network’s email security gateway (ESG) to invade hundreds of organizations worldwide, including governments and foreign ministries, a new report from cybersecurity provider Mandiant said.
In a blog post issued late last week, Mandiant said it had been recruited by Barracuda to help investigate a zero day vulnerability in its ESG appliances that had been exploited in the wild dating to October 2022. Mandiant identified a “suspected China-nexus” actor, tracked as UNC4841, and assessed with “high confidence” that the operatives are engaged in espionage activity in a China backed campaign.
In explaining the break-in, Mandiant said:
“Starting as early as October 10, 2022, UNC4841 sent emails to victim organizations that contained malicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG appliances.”
Attack Similar to Microsoft Exchange Compromise of 2021
Charles Carmakal, Mandiant’s chief technical officer, in an email to various media outlets, compared the ESG attack to the Microsoft Exchange compromise of 2021. He called it the “broadest cyber espionage campaign conducted by a China-nexus threat actor” since the Microsoft hack that compromised tens of thousands of computers worldwide.
While Mandiant has not directly attributed this activity to a previously known threat group at this time, “we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence” that this is a China-nexus espionage operation, Mandiant said.
On May 19, 2023, UNC4841’s actions were first discovered by the Barracuda team and on May 21, 2023, Barracuda issued patches to eradicate UNC4841 from the affected devices. UNC4841 quickly “altered their malware and employed additional persistence mechanisms” in an attempt to maintain their access, Mandiant said.
Evidence of data staging and exfiltration of email related data by UNC4841 was observed in a subset of impacted ESG appliances, Mandiant said.
Barracuda Confirms Hack
On June 6, Barracuda reiterated that some of its devices had been hacked. Of the organizations hit in the operation, 55% were from the Americas, 22% from Asia Pacific and 24% from Europe, the Middle East and Africa. Included in the blitz were foreign ministries in Southeast Asia, foreign trade offices and academic organizations in Taiwan and Hong Kong. the Mandiant said.
Roughly two-thirds of the organizations hit worldwide were non-governmental organizations. The government entities hit supported the conclusion that the operation had an “espionage motivation,” Mandiant said.
Mandiant Issues Recommendations
Mandiant recommended that ESG users, “in alignment with Barracuda’s guidance released on May 31, 2023,” immediately replace compromised ESG appliances, regardless of patch level.
In addition, Mandiant recommended that impacted organizations conduct “investigation and hunting” activities within their networks, including the following:
- Sweep the impacted environment for all IOCs provided by both Mandiant and Barracuda.
- Review email logs to identify the initial point of exposure.
- Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise.
- Revoke and reissue all certificates that were on the ESG at the time of compromise.
- Monitor the entire environment for the use of credentials that were on the ESG at time of compromise.
- Review network logs for signs of data exfiltration and lateral movement.
- Capture a forensic image of the appliance and conduct a forensic analysis.