Attacks on Barracuda Networks linked to China-backed hacking group

Suspected government-backed hackers in China are exploiting a recently-discovered vulnerability in an email security product from Barracuda Networks to attack government entities and the private sector, researchers have found.

Google subsidiary Mandiant said on Thursday that during its investigation of attacks exploiting the vulnerability in Barracuda’s Email Security Gateway (ESG) it found evidence tying the campaign to actors based in China.

ESG is an email security tool that manages and filters all inbound and outbound email traffic to protect organizations against email-borne threats and data leaks.

“Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China. While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation,” Mandiant said in a blog post.

“Additionally, the targeting, both at the organizational and individual account levels, focused on issues that are high policy priorities for the PRC, particularly in the Asia Pacific region including Taiwan.”

Concern about the vulnerability, tracked as CVE-2023-2868, reached a fever pitch last week when Barracuda issued an urgent notice informing customers that despite the release of a patch for the vulnerability in May, the hardware “must be immediately replaced regardless of patch version level.”

A spokesperson for the company told Recorded Future News that as of June 10, the vulnerability was exploited in about 5% of active ESG appliances worldwide. The company said it is “providing the replacement product to impacted customers at no cost.”

“Barracuda partnered closely with Mandiant and its government partners to investigate the exploit behavior and malware,” the Barracuda spokesperson said.

The Mandiant advisory said in at least one case, emails originated from an IP address allocated to the company China Telecom, and the hackers used a mail client used by another China-nexus espionage actor to send phishing emails.

Investigations also unveiled attack infrastructure that overlapped with tools used by previously-identified China-based espionage actors.

“Mandiant suspects that this indicates a shared infrastructure procurement support entity rather than the same group being behind both clusters of activity. China-nexus cyber espionage operations often share tools and infrastructure, hence this observation strengthens our assessment that UNC4841 is of a China-nexus,” they said.

“Based on the evidence available at the time of analysis, earliest compromises appear to have occurred on a small subset of appliances geo-located to mainland China.”

Saltwater, SeaSpy and Seaside

Mandiant said the attacks using the vulnerability started as early as October 2022, with the hackers sending emails to victim organizations with malicious attachments designed to exploit the bug and gain access through vulnerable Barracuda ESG appliances.

As noted in Barracuda’s advisory, the hackers used three strains of malware in the attacks — Saltwater, SeaSpy and Seaside — which gave them a backdoor into compromised systems and allowed them to take a range of actions against victim networks.

Mandiant researchers said all three were seen in the majority of intrusions they examined.

The hackers “aggressively” targeted specific data for exfiltration, using the ESG appliance as a jumping off point to move deeper into a victim network.

After the hackers were discovered by Barracuda on May 19 and efforts were made to remediate the issue, they began to deploy additional tools to maintain their access to breached networks.

From May 22 to May 24, the hackers targeted a large number of victims based in 16 countries, in both the public and private sector. Mandiant noted that some of the malicious emails were sent from accounts at organizations that also had been compromised through the Barracuda ESG appliance.

“The targets identified at the account level included well known academics in Taiwan and Hong Kong as well as Asian and European government officials in Southeast Asia,” the researchers said.

“Targeted organizations have spanned public and private sectors worldwide. A majority of exploitation activity appears to impact the Americas; however, that may partially reflect the product’s customer base. Almost a third of identified affected organizations were government agencies, supporting the assessment that the campaign had an espionage motivation.”

Victims that stood out to researchers were the ASEAN Ministry of Foreign Affairs, as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong.

These organizations were selected for “focused data exfiltration” and more, according to Mandiant, which found that email domains and employees from the offices were targeted.

The hackers also specifically searched for email accounts from people “working for a government with political or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.”

Along with Barracuda, Mandiant worked with “multiple government and intelligence partners.”

The Cybersecurity and Infrastructure Security Agency warned federal agencies and the public about the vulnerability two weeks ago, which it said was being exploited by hackers to remotely execute system commands.