Rewterz Threat Alert – China-Linked Hackers Behind Barracuda ESG Zero-Day Attacks – Active IOCs

Severity

High

Analysis Summary

According to a report published by researchers, they have linked a threat actor known as UNC4841 to the attacks that exploited a recently patched zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances. The investigation identified UNC4841 as a suspected China-linked actor conducting a wide-ranging campaign targeting a subset of Barracuda ESG appliances for espionage purposes across various regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor supporting the People’s Republic of China.

The vulnerability, designated as CVE-2023-2868, was discovered in May and promptly patched by Barracuda. It impacted a significant number of organizations worldwide that utilize Barracuda ESG appliances. The company investigated the flaw and found evidence of exploitation, with incidents dating back to at least October 2022. Threat actors exploited the vulnerability to gain unauthorized access and deploy malware on the compromised appliances, allowing for persistent backdoor access.

The malware families observed in the attacks included SALTWATER, a module for the Barracuda SMTP daemon, SEASPY, an x64 ELF persistent backdoor, and SEASIDE, a Lua module for bsmtpd. These families provided capabilities such as executing commands, uploading/downloading files, proxying and tunneling malicious traffic, and establishing reverse shells.

Barracuda urged affected customers to immediately replace their ESG appliances, regardless of the patch version level, emphasizing the importance of full replacement for remediation. The US Cybersecurity and Infrastructure Security Agency (CISA) also added the recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.

Mandiant’s investigation revealed that UNC4841 initiated spear-phishing campaigns, targeting victim organizations with weaponized attachments exploiting the CVE-2023-2868 vulnerability. Once an ESG appliance was compromised, UNC4841 stole specific data of interest and, in some cases, utilized the compromised access for lateral movement or to send emails to other victim appliances. The group employed tactics such as using generic email subject and body content to appear as spam and avoid detection.

The report also highlighted the use of a rootkit named SandBar by UNC4841. It functioned as a trojanized network file system kernel module for Linux and employed hooks to hide processes with specific names. The threat actor also utilized trojanized versions of legitimate Barracuda LUA modules, which performed various operations upon receiving specific email-related events.

“Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China. While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation.” they conclude

The analysis indicated that the majority of the attacks targeted the Americas, followed by EMEA and APAC. Approximately one-third of the affected organizations were government agencies, suggesting a potential cyber espionage campaign. They concluded with a high degree of confidence that UNC4841’s activities were conducted in support of the People’s Republic of China, citing infrastructure and malware code overlaps, as well as the focus on high policy priorities for the PRC, particularly in the Asia Pacific region including Taiwan.

Impact

• Unauthorized Access
• Compromised Email Security
• Data Breach

Indicators of Compromise

Domain Name

• bestfindthetruth.com
• fessionalwork.com
• gesturefavour.com
• singamofing.com
• troublendsef.com
• togetheroffway.com

MD5

• 0d67f50a0bf7a3a017784146ac41ada0
• 42722b7d04f58dcb8bd80fe41c7ea09e
• 5392fb400bd671d4b185fb35a9b23fd3
• ac4fb6d0bfc871be6f68bfa647fc0125
• 878cf1de91f3ae543fd290c31adcbda4
• 827d507aa3bde0ef903ca5dec60cdec8

SHA-256

• 8c5c8e7b3f8ab6651b906356535bf45992d6984d8ed8bd600a1a056a00e5afcb
• 949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788
• 4028eadf4c27b4007930606551e3a32b2af23d746d5b866cc1c6587e7fd0d776
• f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0
• 3ff3250e07ad74fa419e4a8d6564357b22683d152cd8e9f106c8da3751ea9ff3
• 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4

SHA-1

• 290e5cb4d32f97963bdc95ef2cc4b44a4de5666d
• 1903a3553bcb291579206b39e7818c77e2c07054
• 1cca66cb1f4527eaffbcfeb2237922c93b332d64
• dc5841d8ed9ab8a5f3496f2258eafb1e0cedf4d3
• c71d363472d927cf13674e95b79d4d38b3fed754
• 10b621c5e07648bd7a7391e569aa62a510be82f4

Remediation

• Refer to this Barracuda link for patch, upgrade or suggested workaround information.
• Also, to remediate the zero-day vulnerability exploited to breach Barracuda Email Security Gateway (ESG) appliances, the following steps should be taken:
• Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Perform a thorough security assessment of the affected ESG appliances and the surrounding network infrastructure. This assessment should help identify any signs of compromise or unauthorized access. Review logs, access controls, and other relevant indicators to ensure that the vulnerability has not been exploited further or resulted in any additional breaches.
• Assess and review the access controls and permissions configured on the Barracuda ESG appliances. Ensure that only authorized personnel have access to the devices and that proper authentication mechanisms are in place. Consider implementing multi-factor authentication (MFA) to enhance security.
• Deploy network monitoring and intrusion detection systems to actively monitor network traffic for any suspicious activity or signs of compromise. Monitor outgoing traffic for any attempts to exfiltrate data or establish unauthorized connections. This can help identify and respond to any ongoing or future attacks.
• Review and update your email security measures beyond the Barracuda ESG appliances. Implement robust spam filters, antivirus software, and email content filtering to detect and block malicious emails and attachments. Educate employees about email security best practices, such as avoiding opening suspicious emails or clicking on unknown links.
• Continuously monitor official communications from Barracuda regarding the vulnerability and any further recommendations or updates. Stay informed about the latest cybersecurity best practices and ensure that your organization follows them to maintain a strong security posture.
• Develop an incident response plan that outlines the steps to be taken in case of a security incident. This plan should include procedures for containing the breach, investigating the impact, notifying affected parties, and recovering affected systems.
• Researchers advises all impacted organizations to conduct thorough investigations and perform hunting activities within their networks:
• Review email logs to trace and determine the initial point of exposure.
• Revoke and rotate all domain-based and local credentials that were present on the compromised ESG appliances at the time of the breach.
• Revoke and reissue all certificates that were stored on the compromised ESG appliances at the time of the breach.
• Monitor the entire environment for any suspicious use of the credentials that were present on the compromised ESG appliances.
• Monitor the entire environment for any suspicious use of the certificates that were stored on the compromised ESG appliances.
• Review network logs to identify any signs of data exfiltration or lateral movement.