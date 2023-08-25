The Federal Bureau of Investigation in the U.S. has issued a warning that certain services offered by IT security provider Barracuda Networks Inc. remain at risk for computer network compromise from suspected cybercriminals from the People’s Republic of China, despite patches pushed out by Barracuda earlier this year.

According to the alert, a threat actor had exploited a zero-day vulnerability (CVE-2023-2868) on Barracuda Email Security Gateways. The FBI alert advises that all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise.

In May, Barracuda had announced that the CVE-2023-2868 vulnerability in its ESG appliances had been exploited, and it had engaged cybersecurity company Mandiant to help in the investigation. Post-investigation, Mandiant had said it had “identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilise as a vector for espionage, spanning a multitude of regions and sectors”. It also said that “UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China”.

What Is CVE-2023-2868?

CVE-2023-2868 is a remote command injection vulnerability that allows for unfiltered user-controlled inputs and unauthorised execution of system commands with administrator privileges on the Barracuda ESG appliance. Through the vulnerability, threat actors can format attachments to TAR files and transmit them to email addresses connected to domains that host ESG appliances.

When the infected file is scanned, system commands are executed with administrator rights. In order for the vulnerability to be activated, emails just need to be received by the ESG appliance because the vulnerability exists in the scanning process.

The suspected cyber threat actor, UNC4841, had utilised the CVE-2023-2868 vulnerability to insert malicious payloads on to the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting and data exfiltration, the FBI said in its warning.

Sophisticated Attack Patterns

Mandiant and Barracuda also noticed that UNC4841 was aggressively targeting particular data of interest for exfiltration and, in some instances, to use ESG appliance access to move laterally into the victim's network or send mails to additional victim appliances. Mandiant also observed UNC4841 deploying additional tooling in order to monitor ESG appliances.

“UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide,” said Kevin Mandia, Mandiant CEO, Google Cloud.

In May, Barracuda had released containment and remediation updates to remove UNC4841 from affected ESG appliances. However, UNC4841 swiftly modified its malware and used more persistent techniques to maintain access.

UNC4841 also retaliated with high frequency operations directed at numerous victims spread across at least 16 different nations. Mandiant determined that these operations had affected businesses in both the public and private sectors globally, with about a third being government entities.

“These types of attacks underscore a major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations,” Mandia said.

Recommended Mitigations

According to Mandiant, affected Barracuda customers must continue to look for this threat actor and investigate impacted networks. “We anticipate UNC4841 will continue to change their TTPs and tweak their toolkit," the company said.

Mandiant recommended an immediate replacement of compromised ESG appliances, as the patches released by Barracuda in response to the vulnerability were ineffective. Furthermore, it suggested that all impacted organisations should carry out an investigation within their networks, using—but not limited to—the following steps: