Barracuda ESG zero-day attacks by a Chinese state-sponsored threat actor have compromised numerous government email servers, threat intelligence firm Mandiant has reported.
The attacks linked to China Nexus espionage actors tracked as UNC4841 targeted numerous American state, provincial, county, tribal, city, and town offices.
In May 2023, Barracuda patched the vulnerable devices remotely, warning that threat actors had exploited the critical (CVSS 9.8) zero-day vulnerability CVE-2023-2868 for at least seven months since October 2022.
Over 200,000 private and government organizations worldwide depend on Barracuda email security gateway (ESG) appliances.
U.S. government email servers exploited in Barracuda zero-day attacks
Google’s Mandiant found that the Barracuda ESG zero-day attacks primarily targeted the Americas (55%), EMEA (24%), and APAC (22%), with government email systems accounting for a third of compromised Barracuda ESG appliances.
Of all targeted organizations, local government email servers accounted for “just under seven percent,” but the figure increased to “nearly seventeen percent” when considering U.S. victims alone.
In the Americas, the zero-day attacks targeted state, local, and tribal government email servers. Mandiant withheld the identity of agencies whose government email servers were compromised.
“Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign,” Mandiant said.
The Barracuda ESG zero-day attacks also targeted government email servers of the ASEAN Ministry of Foreign Affairs and foreign trade offices in Hong Kong and Taiwan. Other victims included aerospace, telecom, technology, and IT companies. However, only 5% of all ESG installations were compromised.
Threat actors sent spear-phishing messages with an attachment that triggered the Barracuda ESG zero-day vulnerability. The initial attachments had the “.tar” extension before threat actors shifted to “.jpg” or “.dat” extensions, although they remained as valid tar files.
The threat intelligence firm also observed Chinese hackers attempting to log into numerous mailboxes using Outlook Web Access (OWA) on compromised servers, resulting in the “lockout of a limited number of accounts.”
“In the cases where UNC4841 was able to obtain unauthorized access to a limited number of accounts, Mandiant did not observe UNC4841 send any email from the compromised account,” noted the report.
After compromising government email servers, the attackers stole specific data, highlighting the cyber espionage nature of the ESG zero-day attacks.
The Chinese hackers also attempted to move laterally within selected compromised organizations by leveraging Active Directory, SSH, VPNs, Proxy Servers, and other remote access methods.
They also installed the following malware families, which impersonate legitimate Barracuda services to maintain persistence:
- SALTWATER – a multifunctional malware targeting the Barracuda SMTP daemon.
- SEASPY – a persistent backdoor impersonating a legitimate Barracuda Networks service.
- SEASIDE – creates reverse shells for the malware’s command and control (C2) server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously observed the Chinese hackers leveraging two backdoors, SUBMARINE Backdoor and Whirlpool, in ESG zero-day attacks.
Mandiant also observed them installing backdoors Depthcharge, Skipjack, Foxglove, and Foxtrot to thwart mitigation efforts, with each malware variant representing a “level of increasing selectivity.”
Depthcharge, identified by CISA as SUBMARINE, allowed threat actors to infect new devices when Barracuda ESG users exported configurations to new devices. Foxglove and Foxtrot were used on high-priority government organizations.
“Organizations that received these post-remediation malware families were weighted towards government (national), high tech, and information technology sectors,” Mandiant stated. “This may suggest a threat actor prioritization towards conventional espionage targets and maintaining access to IT and managed service providers.”
Mandiant also observed that the Chinese hackers had ample time and resources to plan the attacks and find ways to circumvent possible mitigations.
“It also suggests that despite this operation’s global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks,” said Mandiant.
Patched devices are still vulnerable to Barracuda ESG zero-day attacks
While Mandiant and Barracuda have yet to detect newly compromised devices after patching, the FBI has warned that Chinese threat actors were still exploiting the zero-day vulnerability in Barracuda ESG devices.
“The FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability,” the agency warned.
Subsequently, the FBI advised impacted organizations to isolate Barracuda ESG devices and revoke domain privileges to prevent threat actors from gaining persistence.
Additionally, the agency identified additional indicators of compromise and advised organizations to “remove all ESG appliances immediately,” adding that all Barracuda patches to fix CVE-2023-2868 vulnerability “were ineffective.”