A recent research by Mandiant has revealed that a threat actor connected to China deployed backdoors to hinder remediation efforts during a campaign against vulnerable Barracuda Networks Email Security Gateway (ESG) appliances. The campaign began last year and in May, Barracuda Networks disclosed a zero-day vulnerability, known as CVE-2023-2868, in its ESG appliance. The vulnerability was exploited in attacks against customers starting in October 2022.
After investigating the incidents, Mandiant, along with CISA and the FBI, attributed the ongoing campaign to a threat actor supporting the Chinese government. They also determined that the patches released in May were insufficient, and as a result, all affected ESG devices were to be replaced immediately.
However, the threat actor, identified as UNC4841 by Mandiant, anticipated the replacement advisory and other remediation efforts. Researchers at Mandiant have identified backdoors used by the attackers to maintain persistence on targeted organizations. These backdoors, named Skipjack, Depthcharge, and Foxtrot/Foxglove, were deployed in case the campaign was compromised. They were part of a “second, previously undisclosed wave” of attacks that began in early June.
The backdoors were discovered during the second surge of the campaign, which Mandiant identified as the highest activity observed throughout the entire campaign. UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets, either before the patch was released or shortly after Barracuda’s remediation guidance. These targets were primarily government entities, aligning with the cyberespionage attribution.
Mandiant noted that Skipjack was the most widely deployed backdoor and contained the most variants. It primarily targeted government and technology organizations and was observed on approximately 5.8% of all compromised ESG appliances. Depthcharge, also tracked as Submarine by CISA, was observed on around 2.64% of compromised appliances. It targeted U.S. and foreign government entities as well as the technology sector. Foxtrot/Foxglove, the third malware family, was used only against government or government-related organizations prioritized by the threat actor.
In addition to the backdoors, Mandiant’s analysis of UNC4841’s tactics, techniques, and procedures (TTPs) revealed the group’s reconnaissance and lateral movement following Barracuda’s disclosure of the vulnerability. The attackers moved laterally to target “mstore,” a temporary storage location on ESG devices, to harvest credentials. Some of these credentials were connected to Outlook Web Access (OWA), which was also targeted by a Chinese-nexus actor in separate attacks against Microsoft customers, including U.S. government agencies.
Mandiant identified cleartext credentials contained within messages stored on the ESG that UNC4841 subsequently used to successfully access OWA. This tactic was used to maintain persistence on compromised victims’ mailboxes for information-gathering purposes.
Despite the deployment of backdoors to maintain persistence, there is some good news. Since Barracuda released the patch on May 20, Mandiant has not identified evidence of successful exploitation of the vulnerability resulting in any newly compromised appliances. Additionally, only 5% of ESG appliances worldwide have been compromised.
The research conducted by Mandiant highlights the sophistication and adaptability of UNC4841. The threat actor was able to anticipate and prepare for remediation efforts, using new and novel malware to maintain presence on high-value targets. Government entities were the primary focus of the campaign, aligning with the attribution to cyberespionage. Mandiant assessed that a limited number of previously impacted victims remain at risk due to this ongoing campaign.
Overall, the research sheds light on the tactics and capabilities of this threat actor and emphasizes the importance of timely patching and effective remediation efforts to mitigate such attacks.