According to a report published by researchers, they have linked a threat actor known as UNC4841 to the attacks that exploited a recently patched zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances. The investigation identified UNC4841 as a suspected China-linked actor conducting a wide-ranging campaign targeting a subset of Barracuda ESG appliances for espionage purposes across various regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor supporting the People’s Republic of China.
The vulnerability, designated as CVE-2023-2868, was discovered in May and promptly patched by Barracuda. It impacted a significant number of organizations worldwide that utilize Barracuda ESG appliances. The company investigated the flaw and found evidence of exploitation, with incidents dating back to at least October 2022. Threat actors exploited the vulnerability to gain unauthorized access and deploy malware on the compromised appliances, allowing for persistent backdoor access.
The malware families observed in the attacks included SALTWATER, a module for the Barracuda SMTP daemon, SEASPY, an x64 ELF persistent backdoor, and SEASIDE, a Lua module for bsmtpd. These families provided capabilities such as executing commands, uploading/downloading files, proxying and tunneling malicious traffic, and establishing reverse shells.
Barracuda urged affected customers to immediately replace their ESG appliances, regardless of the patch version level, emphasizing the importance of full replacement for remediation. The US Cybersecurity and Infrastructure Security Agency (CISA) also added the recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.
Mandiant’s investigation revealed that UNC4841 initiated spear-phishing campaigns, targeting victim organizations with weaponized attachments exploiting the CVE-2023-2868 vulnerability. Once an ESG appliance was compromised, UNC4841 stole specific data of interest and, in some cases, utilized the compromised access for lateral movement or to send emails to other victim appliances. The group employed tactics such as using generic email subject and body content to appear as spam and avoid detection.
The report also highlighted the use of a rootkit named SandBar by UNC4841. It functioned as a trojanized network file system kernel module for Linux and employed hooks to hide processes with specific names. The threat actor also utilized trojanized versions of legitimate Barracuda LUA modules, which performed various operations upon receiving specific email-related events.
“Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China. While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation.” they conclude
The analysis indicated that the majority of the attacks targeted the Americas, followed by EMEA and APAC. Approximately one-third of the affected organizations were government agencies, suggesting a potential cyber espionage campaign. They concluded with a high degree of confidence that UNC4841’s activities were conducted in support of the People’s Republic of China, citing infrastructure and malware code overlaps, as well as the focus on high policy priorities for the PRC, particularly in the Asia Pacific region including Taiwan.