According to a recent blog post by Mandiant, the exploitation of a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances has been attributed to Chinese nation-state actors known as UNC4841. Mandiant’s ongoing investigation into the exploitation, which was disclosed last month, has revealed that the threat actors were most active between May 22 and May 24 and targeted victims in at least 16 different countries, including government agencies.
The investigation, based on infrastructure and malware code overlaps, has identified that the campaign has impacted organizations across both the public and private sectors worldwide. Mandiant stated that nearly a third of the impacted organizations are government agencies. This suggests that the Chinese nation-state actors behind the cyberespionage attacks are targeting a wide range of industries and entities.
The report also shed light on why the patches released by Barracuda last month were insufficient to address the vulnerability. Mandiant explained that the threat actor, UNC4841, swiftly made modifications to its custom malware, known as SEASPY and SALTWATER, to prevent effective patching. The malware code families, including a third family called Seaside, were used to masquerade as legitimate Barracuda ESG modules or services. As a result, the threat actors were able to maintain their access to compromised appliances despite the vendor’s remediation efforts.
Austin Larsen, a senior incident response consultant at Mandiant, highlighted the sophistication and aggressiveness of UNC4841 as a key factor in their ability to retain access to compromised appliances. Larsen explained that UNC4841 displayed an interest in and commitment to maintaining persistent access, which prompted Barracuda to replace compromised appliances rather than reimage them. The lack of full visibility into all compromised appliances also contributed to this decision.
Mandiant’s investigation further uncovered the techniques used by the threat actors to maintain persistence and evade patching efforts. One method involved executing the Seaspy malware by inserting a command into the update_version Perl script executed by the appliance. Access to modify the script was gained through the successful exploitation of the zero-day vulnerability. In addition, UNC4841 leveraged reverse shells using domains instead of IP addresses and deployed a kernel rootkit called “Sandbar” during device startup.
TechTarget Editorial reached out to Barracuda for additional insights into the ineffectiveness of the patches and firmware updates. The vendor’s statement indicated that they had partnered closely with Mandiant and government partners to investigate the exploit behavior and malware. They confirmed Mandiant’s assessment that UNC4841 is a China-nexus actor working in support of the People’s Republic of China.
Mandiant provided a detailed timeline of the attacks, revealing that UNC4841 began a phishing campaign against victim organizations as early as October. The phishing emails were intentionally designed to appear as generic spam to be flagged by spam filters or dissuade security analysts from investigating further. Mandiant observed this tactic, previously used by advanced groups exploiting zero-day vulnerabilities, indicating the sophistication of the threat actor.
After the initial compromise, the threat actors aggressively targeted data for exfiltration and deployed additional tools, such as the malware families Seaspy, Seaside, and Saltwater, to maintain persistence. The first signs of lateral movement inside organizations were observed in May, followed by the identification of malicious activity on ESG appliances by Barracuda. The zero-day vulnerability was assigned a CVE ID and patched, but the threat actor adjusted its tactics in response, necessitating the replacement of compromised appliances.
Barracuda issued advisories and guidance for affected ESG appliances, with the most recent update urging immediate replacement of compromised devices. The vendor committed to providing replacement products to impacted customers at no cost. Despite the exploitation occurring months before discovery, only 5% of active ESG appliances worldwide have been affected, according to Barracuda.
Mandiant commended Barracuda for its response to the ongoing situation and urged all affected organizations to replace compromised appliances, review email logs, and revoke affected credentials. The collaboration between Mandiant, Barracuda, and government partners highlights the importance of cooperation and swift action in addressing cyberespionage campaigns conducted by nation-state actors.
In conclusion, Mandiant’s investigation into the exploitation of the zero-day vulnerability in Barracuda’s ESG appliances has attributed the attacks to Chinese nation-state actors. The threat actors, known as UNC4841, have demonstrated sophistication and persistence in their cyberespionage campaign, targeting organizations worldwide, including government agencies. Barracuda’s initial patches were ineffective due to the rapid modifications made by the threat actors to their custom malware. To mitigate the risk, Barracuda has advised customers to replace compromised appliances, and Mandiant has provided guidelines for affected organizations. The ongoing collaboration between Mandiant, Barracuda, and government partners underscores the need for collective efforts to counter cyber threats posed by nation-state actors.