Threat actors believed to be connected to the People’s Republic of China are persistently exploiting a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliance, according to the FBI. The vulnerability, known as CVE-2023-2868, is a critical flaw that affects ESG appliance versions 5.1.3.001-9.2.0.00. Barracuda discovered the flaw in May and released patches shortly after, but later determined that the fixes were insufficient.
In a Flash alert published on Wednesday, the FBI echoed Barracuda’s warning and urged customers to remove all ESG appliances immediately due to ongoing exploitation by threat actors suspected to be associated with China. The FBI stated that even ESG appliances with patches pushed out by Barracuda remain at risk for continued network compromise.
The remote command injection vulnerability is particularly dangerous because it exists in the scanning process. As a result, the flaw can be triggered simply by reading emails using the ESG appliance. During its investigation, the FBI identified indicators of compromises (IOCs) and observed threat actors leveraging CVE-2023-2868 to insert malicious payloads onto the ESG appliances. The attackers utilized the vulnerability to gain persistent access, conduct email scanning, harvest credentials, and selectively exfiltrate specific data.
These threat actors were skilled at using counter-forensic techniques to hide their activities, making it challenging for enterprises to detect and respond to the attacks based on IOCs alone. The FBI advised organizations to scan their network logs for connections to the listed indicators to enhance detection capabilities.
Given that attacks are ongoing, the FBI considers all affected ESG Barracuda appliances to be compromised and vulnerable to this exploit. Similar to Barracuda’s previous action notice, the FBI concluded that the patches released by Barracuda were ineffective, and affected appliances should be promptly replaced.
In addition to replacing affected ESG appliances, the FBI also recommended that enterprises scan their networks for IOCs associated with the ongoing activity. The agency advised potentially impacted customers to review email logs, revoke and rotate credentials, revoke and reissue certificates, and review network logs for signs of data exfiltration or lateral movement.
Barracuda confirmed that customers who received an interface notification or were contacted by their technical support representatives should contact support to replace the ESG appliance. The company is providing replacement products to impacted customers at no cost. Barracuda stated that only a subset of ESG appliances were affected.
However, the FBI’s investigation revealed that the vulnerability was exploited in a significant number of ESG appliances. When the exploitation of CVE-2023-2868 was initially discovered in May, Barracuda engaged Mandiant for an investigation. In June, the security vendor attributed the ESG attacks to a threat actor supporting the Chinese government known as UNC4841.
Mandiant, which provided an attack scope, observed that the campaign impacted both public and private sectors globally, with government agencies comprising almost a third of the victims. The CEO of Mandiant, Kevin Mandia, stated that the FBI’s alert reinforces their attribution and provides more detailed defense recommendations. He noted that the threat actor continues to deploy new and novel malware to high-priority targets after the remediation of CVE-2023-2868, demonstrating their sophistication and adaptability in conducting global espionage operations.
The ongoing exploitation of the zero-day vulnerability in Barracuda’s ESG appliances highlights the evolving tradecraft of China-affiliated threat actors. These attacks underscore a shift in their tactics, particularly as they become more selective in their espionage operations across various sectors.
In conclusion, organizations are advised to take immediate action by removing and replacing the affected ESG appliances, scanning their networks for IOCs, and implementing additional security measures to mitigate the risks posed by this zero-day vulnerability.