Pro-China Hacker Group exploits Barracuda ESG Zero-Day Vulnerability

Pro-China Hacker Group UNC4841 behind targeted data-theft attacks

Barracuda's clients will need to replace affected devices

UNC4841, a suspected pro-China hacker group, has been linked to a series of data-theft attacks against Barracuda Email Security Gateway (ESG)^[1] appliances. The attacks took advantage of a zero-day vulnerability, CVE-2023-2868,^[2] which allowed threat actors to execute remote commands on vulnerable devices.

The attacks began around October 2022, according to cybersecurity firm Mandiant, with threat actors dropping previously unknown malware onto compromised appliances and stealing sensitive data. Barracuda discovered the flaw on May 19th and quickly released a security update to address it. The Cybersecurity and Infrastructure Security Agency (CISA)^[3] also issued an alert urging federal agencies in the United States to implement the necessary updates.

Barracuda's response to the breach drew criticism because it chose to replace affected devices rather than reimage them with new firmware. This decision was motivated by the company's inability to guarantee complete removal of the sophisticated malware used by UNC4841. John Palmisano, incident response manager at Mandiant, clarified that Barracuda's cautious approach was intended to ensure the integrity of all devices when the recovery partition was compromised.

UNC4841 Revealed as Pro-China Hacking Group Conducting Espionage Attacks

Mandiant has now revealed that the group responsible for exploiting the Barracuda ESG vulnerability, UNC4841, is a hacking group with a history of carrying out cyber espionage attacks in support of the People's Republic of China. UNC4841 has been observed using a variety of methods to compromise ESG devices, most notably malicious '.tar' file attachments disguised as '.jpg' or '.dat' files.

When the Barracuda Email Security Gateway attempted to scan the attachment, the exploit exploited the CVE-2023-2868 vulnerability, allowing threat actors to remotely execute system commands. According to Mandiant's report, the flaw was caused by unsanitized and unfiltered user-controlled input, which allowed malicious commands to be injected into the system.

After gaining remote access, UNC4841 used malware families called 'Saltwater,' 'Seaspy,' and 'Seaside' to steal email data from compromised devices. The group specifically targeted and exfiltrated specific data, and the compromised ESG appliances were occasionally used to navigate the victims' networks or send emails to other targeted appliances.

UNC4841 adapted its malware and used diverse persistence mechanisms to evade detection based on indicators of compromise (IoC) in response to Barracuda's efforts to address the breach.

UNC4841 Conducts Targeted Attacks on Government Agencies and Organizations

Between May 22nd and May 24th, 2023, UNC4841 launched an attack on vulnerable devices of government agencies and important organizations in at least 16 countries. The threat actors kept exploiting the Barracuda ESG vulnerability by sending emails with TAR file attachments that ran a reverse shell payload on the compromised devices.

The payload launched a new session, named pipe, and interactive shell, allowing the hackers to connect to specific IP addresses and ports. UNC4841 used wget commands to download additional payloads from their command-and-control (C2) servers, such as the 'Saltwater,' 'Seaspy,' and 'Seaside' malware.

'Saltwater' was a backdoor Barracuda SMTP daemon module that allowed threat actors to perform file uploads, downloads, arbitrary command execution, and proxying. 'Seaside' scanned SMTP HELO/EHLO commands for encoded instructions sent from the C2 server, decoding them and passing them to “Whirlpool,” a TLS reverse shell tool. The third backdoor, dubbed 'Seaspy,' operated as a passive tool, masquerading as a PCAP filter on specific ports and activating upon the arrival of a “magic packet.”

UNC4841 used a variety of persistence mechanisms, including editing the '/etc/init.d/rc' file and masking its activities with 'Sandbar,' which masked the activities of 'Seaspy' by hiding Linux server processes.

The hacking group moved quickly lateral, scanning compromised appliances for specific email messages using targeted search terms related to organizations, individuals, or hot topics. Shell scripts targeting email domains and users from the ASEAN Ministry of Foreign Affairs, foreign trade offices, and academic research organizations in Taiwan and Hong Kong were discovered by Mandiant.

As UNC4841 refines its tactics to avoid detection, increased vigilance is strongly advised. Mandiant advises replacing compromised Barracuda ESG appliances regardless of patch level and conducting thorough investigations using the indicators of compromise provided.