Connect with us

Hi, what are you looking for?



Barracuda Zero-Day Attacks Attributed to Chinese Cyberespionage Group

Attacks exploiting the Barracuda zero-day CVE-2023-2868 have been linked to a Chinese cyberespionage group that has targeted government and other organizations.

Barracuda zero day exploited by China

The recent attacks exploiting a zero-day vulnerability in a Barracuda Networks email security appliance have been attributed by Mandiant to a Chinese cyberespionage group.

The attacks were discovered by Barracuda on May 18 and the company hired Mandiant to help investigate. Mandiant, which is now owned by Google Cloud, said multiple intelligence and government partners also assisted with the investigation. 

The cybersecurity firm has attributed the campaign to a threat actor it has named UNC4841, which it believes — with high confidence — is a cyberespionage group operating on behalf of the Chinese government. 

Charles Carmakal, CTO of Mandiant Consulting, said in comments shared with SecurityWeek that this is the “broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021”, with the email security appliances of hundreds of organizations getting hit. 

The zero-day leveraged in the campaign, tracked as CVE-2023-2868, impacts Barracuda Email Security Gateway (ESG), specifically a module designed for the initial screening of email attachments. Malicious actors can exploit the vulnerability for remote command injection by sending the targeted entity an email containing a specially crafted TAR file as an attachment. 

In the attacks observed by Mandiant, the hackers attached the exploit to poorly-written emails.

“Mandiant assesses UNC4841 likely crafted the body and subject of the message to appear as generic spam in order to be flagged by spam filters or dissuade security analysts from performing a full investigation. Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past,” Mandiant explained.

Advertisement. Scroll to continue reading.

CVE-2023-2868 has been exploited since at least October 2022 to gain initial access to Barracuda appliances. The exploit allowed the cyberspies to execute a reverse shell, after which they downloaded custom backdoor malware to the device.

Three primary custom backdoors have been identified: SeaSpy, SaltWater and SeaSide. These pieces of malware are designed for C&C communications, downloading and executing files, executing commands, and providing proxying capabilities. The attackers also deployed a rootkit named SandBar that appears to hide the SeaSpy malware. 

In addition to these malware families, Mandiant has observed trojanized versions of several legitimate Barracuda LUA modules, which are designed to perform various actions when certain email-related events are detected on the appliance. These LUA modules have been named SeaSpray and SkipJack by Mandiant. 

A few weeks after the attack was detected, Barracuda urged customers to immediately replace compromised appliances, indicating that the patches it had deployed did not fully protect devices. 

Indeed, Mandiant noted that the attackers started modifying their malware and deploying additional persistence mechanisms in response to Barracuda’s actions.

“Between May 21, 2023, and May 22, 2023, shortly following Barracuda’s initial remediation script deployment, UNC4841 quickly made modifications to both SeaSpy and SaltWater related components in order to prevent effective patching,” Mandiant explained. “Between May 22, 2023 and May 24, 2023, UNC4841 conducted high frequency operations on a number of victims located in at least 16 different countries; modifying 7 components of SeaSpy and at least 2 components of SaltWater.”

UNC4841 was observed exfiltrating email-related data from victims, including European and Asian government officials in Southeast Asia, as well as high-profile academics in Hong Kong and Taiwan. 

Targets also included the Ministry of Foreign Affairs of the Association of Southeast Asian Nations (ASEAN), foreign trade offices, and academic research organizations.

“The actors searched for email accounts belonging to individuals working for a government with political or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries,” Mandiant said.

The company pointed out that more than a quarter of victims are government organizations. 

Mandiant said more than half of the impacted organizations are in the Americas, but that is not surprising considering that this is where the Barracuda appliance is mainly used. The remaining victims were split between the APAC and EMEA regions. 

In addition to the targeting of entities that present an interest to Beijing, there is some technical evidence linking the attacks to China, including the origin of some emails, the use of a specific mail client, and infrastructure and malware code overlaps previously tied to Chinese cyberspies.

Related: Many of 13 New Mac Malware Families Discovered in 2022 Linked to China

Related: US Probing Cybersecurity Risks of Rockwell Automation’s China Operations: Report

Related: Spies, Hackers, Informants: How China Snoops on the US

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...