A China-nexus threat actor called UNC4841 has been exploiting a recently patched zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances since October 2022. "UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," stated Google-owned Mandiant in a new report, characterizing the group as "aggressive and skilled." The vulnerability in question is CVE-2023-2868 (CVSS score: 9.8), a remote code injection issue affecting versions 5.1.3.001 through 9.2.0.006 due to incomplete validation of attachments in incoming emails. Barracuda resolved the problem on May 20 and 21, 2023, but has since advised affected customers to replace their devices "regardless of patch version level."
Mandiant, an incident response and threat intelligence firm, was appointed to investigate the hack. They found that UNC4841 sent emails to target organizations containing malicious TAR file attachments designed to exploit the vulnerability as early as October 10, 2022. These email messages featured generic lures with poor grammar and, in some cases, placeholder values, a tactic intentionally chosen to make the communications appear as spam. The aim was to execute a reverse shell payload on the targeted ESG devices and deliver three distinct malware strains – SALTWATER, SEASIDE, and SEASPY – to establish persistence and execute arbitrary commands while disguising them as legitimate Barracuda ESG modules or services. The adversary also deployed a kernel rootkit called SANDBAR configured to hide processes with specified names, as well as trojanized versions of two valid Barracuda Lua modules.
Source code overlaps were identified between SEASPY and a publicly available backdoor known as cd00r, and between SANDBAR and an open-source rootkit. This suggests that the threat actor repurposed existing tools to carry out the intrusions. UNC4841 displayed persistence, quickly adapting its malware and implementing additional persistence mechanisms as Barracuda initiated containment efforts after discovering the activity on May 19, 2023. In some cases, the threat actor leveraged access to a compromised ESG appliance to perform lateral movement within the victim network or send mail to other victim appliances. Data exfiltration involved capturing email-related data in a subset of cases.
Mandiant reported that the high-frequency attacks targeted an unspecified number of private and public sector organizations in at least 16 countries, with nearly one-third being government entities. 55% of the impacted organizations were located in the Americas, followed by 24% in the EMEA region and 22% in the Asia-Pacific region. "UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations," Mandiant said, predicting that the actors will "alter their TTPs and modify their toolkit."