A recently discovered Chinese advanced persistent threat (APT) group has been identified as the culprit behind the compromise of Barracuda Networks’ email security gateways (ESGs). These attackers utilized three different backdoors to exploit security vulnerabilities endemic to edge devices. The campaign conducted by this APT group, known as UNC4841, has been connected to espionage activities in support of the People’s Republic of China.
Barracuda first became aware of the compromise on May 18 when it noticed anomalous traffic coming from some of its ESGs. Working in collaboration with security firm Mandiant, the company discovered a zero-day vulnerability, referred to as CVE-2023-2868, which was subsequently assigned a high severity rating. According to Barracuda, approximately 5% of active ESG devices worldwide have shown signs of compromise.
Mandiant’s report, released on June 15, provides further insight into the UNC4841 campaign. According to the report, one-third of the targets identified were government organizations, while more than half were located in the Americas. However, it was noted that this distribution may partially reflect the customer base of Barracuda’s ESGs. The hackers targeted not only specific organizations but also individual government officials and academics in Southeast Asia.
The sophistication of UNC4841’s operations is evident in their methods. The attack campaign began with phishing emails containing generic messages and poor grammar. These emails included malicious tape archive (TAR) files that exploited the CVE-2023-2868 vulnerability, allowing the attackers to execute code on the target machines remotely. Once in control of the ESG privileges, the hackers deployed three distinct backdoors known as SALTWATER, SEASPY, and SEASIDE. These backdoors were designed to masquerade as legitimate ESG modules and services while providing command-and-control communication channels to the attackers.
Despite efforts to address the backdoors, UNC4841 reacted quickly to any actions taken by Barracuda and Mandiant, indicating a strong desire to maintain access. This persistence explains why the malicious activity continued even after the release of security patches by Barracuda. To completely rid affected ESGs of the attackers, Barracuda offered free replacements to its customers.
The UNC4841 campaign highlights the broader issue of security vulnerabilities in edge appliances. Austin Larsen, a senior incident response consultant at Mandiant, points out that it is not just Barracuda’s ESGs that are at risk. Edge appliances, in general, lack adequate security measures. These appliances, which often operate on the edge of networks and are exposed to the internet, do not receive the same level of security attention as more modern products and solutions. Additionally, traditional countermeasures like EDR solutions may not run on these appliances, allowing attackers to operate undetected.
Larsen emphasizes the importance of proper network segmentation to mitigate the risks posed by edge appliances. By placing these devices in a separate, unprivileged segment of the network, lateral movement by threat actors can be restricted. It is crucial for organizations to recognize the vulnerability of edge appliances and implement security measures accordingly.
In response to the UNC4841 campaign, Barracuda has taken significant steps to address the compromise of its ESGs. By offering free replacements to affected devices and releasing security patches, Barracuda aims to eliminate the attackers’ persistence and protect its customers from further harm. This incident serves as a reminder of the ongoing threats and vulnerabilities that exist in the cybersecurity landscape, highlighting the need for constant vigilance and proactive defenses.