The recent attacks exploiting a zero-day vulnerability in a Barracuda Networks email security appliance have been attributed by Mandiant to a Chinese cyberespionage group.
The attacks were discovered by Barracuda on May 18 and the company hired Mandiant to help investigate. Mandiant, which is now owned by Google Cloud, said multiple intelligence and government partners also assisted with the investigation.
The cybersecurity firm has attributed the campaign to a threat actor it has named UNC4841, which it believes — with high confidence — is a cyberespionage group operating on behalf of the Chinese government.
Charles Carmakal, CTO of Mandiant Consulting, said in comments shared with SecurityWeek that this is the “broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021”, with the email security appliances of hundreds of organizations getting hit.
The zero-day leveraged in the campaign, tracked as CVE-2023-2868, impacts Barracuda Email Security Gateway (ESG), specifically a module designed for the initial screening of email attachments. Malicious actors can exploit the vulnerability for remote command injection by sending the targeted entity an email containing a specially crafted TAR file as an attachment.
In the attacks observed by Mandiant, the hackers attached the exploit to poorly-written emails.
“Mandiant assesses UNC4841 likely crafted the body and subject of the message to appear as generic spam in order to be flagged by spam filters or dissuade security analysts from performing a full investigation. Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past,” Mandiant explained.
CVE-2023-2868 has been exploited since at least October 2022 to gain initial access to Barracuda appliances. The exploit allowed the cyberspies to execute a reverse shell, after which they downloaded custom backdoor malware to the device.
Three primary custom backdoors have been identified: SeaSpy, SaltWater and SeaSide. These pieces of malware are designed for C&C communications, downloading and executing files, executing commands, and providing proxying capabilities. The attackers also deployed a rootkit named SandBar that appears to hide the SeaSpy malware.
In addition to these malware families, Mandiant has observed trojanized versions of several legitimate Barracuda LUA modules, which are designed to perform various actions when certain email-related events are detected on the appliance. These LUA modules have been named SeaSpray and SkipJack by Mandiant.
A few weeks after the attack was detected, Barracuda urged customers to immediately replace compromised appliances, indicating that the patches it had deployed did not fully protect devices.
Indeed, Mandiant noted that the attackers started modifying their malware and deploying additional persistence mechanisms in response to Barracuda’s actions.
“Between May 21, 2023, and May 22, 2023, shortly following Barracuda’s initial remediation script deployment, UNC4841 quickly made modifications to both SeaSpy and SaltWater related components in order to prevent effective patching,” Mandiant explained. “Between May 22, 2023 and May 24, 2023, UNC4841 conducted high frequency operations on a number of victims located in at least 16 different countries; modifying 7 components of SeaSpy and at least 2 components of SaltWater.”
UNC4841 was observed exfiltrating email-related data from victims, including European and Asian government officials in Southeast Asia, as well as high-profile academics in Hong Kong and Taiwan.
Targets also included the Ministry of Foreign Affairs of the Association of Southeast Asian Nations (ASEAN), foreign trade offices, and academic research organizations.
“The actors searched for email accounts belonging to individuals working for a government with political or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries,” Mandiant said.
The company pointed out that more than a quarter of victims are government organizations.
Mandiant said more than half of the impacted organizations are in the Americas, but that is not surprising considering that this is where the Barracuda appliance is mainly used. The remaining victims were split between the APAC and EMEA regions.
In addition to the targeting of entities that present an interest to Beijing, there is some technical evidence linking the attacks to China, including the origin of some emails, the use of a specific mail client, and infrastructure and malware code overlaps previously tied to Chinese cyberspies.