Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT


A PRC-aligned actor used a trio of custom malware to take advantage of inherent weaknesses in edge appliances.



Researchers say the
recent compromise of Barracuda Networks email security gateways (ESGs)
was carried out by a newly discovered Chinese APT, which used three different backdoors to exploit security failings endemic to edge devices.
According to
Barracudas timeline
, on May 18, the company was alerted to anomalous traffic coming from some of its ESGs. The following day, in collaboration with security company Mandiant, it discovered a zero-day vulnerability —
CVE-2023-2868
— since assigned a score of 9.8 out of 10 on the CVSS vulnerability severity scale, making it critical-rated.
In multiple statements provided to Dark Reading, Barracuda has indicated that around 5% of active ESG devices worldwide have shown evidence of compromise. The company has a global footprint, with market-share watchers pegging it as
claiming around a fifth of the ESG market
, with clients that include
 
CVS Health, IBM, and McKesson. 
Now, in a
report published Thursday, June 15
, Mandiant has connected the campaign to a novel APT its tracking as UNC4841, assessing with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the Peoples Republic of China.
A full third of UNC4841s targets have been government organizations, and more than half are in the Americas — though that may partially reflect the products customer base, the researchers qualified. In many cases, the hackers collected email data not just from specific targets, but individual targets, including government officials and academics in Southeast Asia.
Theyre definitely very competent, says Ben Read, Mandiants senior manager of cyber espionage analysis, Google Cloud. To find a vulnerability and exploit it in the ways that they have demonstrates an understanding that would have taken a lot of time and expertise to figure out. They definitely have significant funds.
UNC4841s attacks began with rudimentary phishing emails containing generic messages and broken grammar. Attached to the emails, however, were malicious tape archive (TAR) files which, when opened, exploited CVE-2023-2868, allowing the attackers to remotely execute code on target machines.
Now in control of the privileges afforded to Barracuda ESGs, the attackers deployed three separate backdoors — SALTWATER, SEASPY, and SEASIDE — which each attempted to masquerade as legitimate ESG modules and services.
These backdoors do have different capabilities, but overlap in terms of allowing for command-and-control (C2) communication to the device, explains Austin Larsen, Mandiant senior incident response consultant, Google Cloud. As he sees it, having three backdoors is a form of fault tolerance: The actor is shown a pretty intense desire to maintain access to these devices, by establishing redundancy through multiple backdoors.
Even after its backdoors were discovered and addressed, the threat actor reacted very quickly to any actions taken by Barracuda and Mandiant,” Larsen says. “They wanted to maintain persistence and access to these devices for as long as possible.
Together, this may explain why, even after Barracuda released a series of security patches, UNC4841s malicious activity remained ongoing. Beginning May 31, to finally rid the attackers from the appliances, the company offered to
outright replace all affected ESGs
at no cost to customers.
Larsen points out that
its not just ESGs
— edge appliances in general arent secure enough.
The threat that it poses is that network defenders typically dont have visibility into the underlying operating system, and so your traditional countermeasures —
like EDR solutions for detection
— typically dont run on these appliances, he explains. And so, actors have realized that its a great place to operate from, because they can typically avoid detection.”
The issues with edge appliances only mount from there. They live on the edge of networks, so theyre typically exposed in some way to the Internet and a lot of appliances are in a legacy phase at this point, he adds. And so were seeing that these appliances arent quite getting the same level of attention as some more modern products and solutions, in terms of security.
But even if edge appliances themselves are vulnerable, with proper segmentation, the networks theyre connected to dont have to be.
We did identify this specific threat actor attempting to move laterally from the edge devices post-exploitation, Larsen notes. Had these devices been in an unprivileged segment of the network, that may have prevented some of that lateral movement.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT