The Chinese cyberespionage group exploiting Barracuda Email Security Gateway (ESG) appliances was preparing for remediation efforts, deploying persistent backdoors on select targets, Mandiant reports.
Tracked as UNC4841 and believed to be working on behalf of the Chinese government, the hacking group is believed to have exploited CVE-2023-2868, a zero-day vulnerability in Barracuda ESG, since at least October 2022.
Barracuda released patches for CVE-2023-2868 in May, but the FBI said last week that the fixes were ineffective and that attacks targeting the flaw have continued, with all Barracuda ESG appliances, including those updated to a patched version, at risk.
In a new report, Mandiant says the vulnerability has not been successfully exploited in recent attacks, explaining that the persistence mechanisms UNC4841 had deployed prior to the release of patches have allowed it to maintain presence on some systems.
“Since Barracuda released a patch to ESG appliances on May 20, 2023, Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances,” Mandian says.
“UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance,” the Google-owned cybersecurity firm explains.
Mandiant says that roughly 5% of the ESG appliances were compromised as a result of CVE-2023-2868’s exploitation, and that no other Barracuda products, such as SaaS email solutions, were affected.
The cybersecurity firm has identified two surges in activity related to ESG appliances after Barracuda’s remediation efforts: one in the days following the patches, and another in early June, when the attackers attempted to deploy new malware families to maintain access to compromised systems.
“This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841’s determination in preserving access to specific victim environments,” Mandiant says.
Newly deployed malware included the SkipJack backdoor, the DepthCharge Linux shared object library (tracked by CISA as Submarine), and the Foxtrot/Foxglove backdoor and launcher pair. Mandiant provides technical details on each malware family.
SkipJack trojanizes legitimate ESG modules with malicious Lua code to establish listeners for specific incoming email headers and subjects and execute their content. UNC4841 deployed SkipJack on roughly 5.8% of the compromised appliances, mainly against government and technology organizations.
According to Mandiant, SkipJack was the most deployed malware in the UNC4841 arsenal, and had the most variants as well.
Pre-loaded into the Barracuda SMTP (BSMTP) daemon, DepthCharge passively listens to encrypted commands, executes them, and sends the results masqueraded as SMTP commands back to the command-and-control (C&C) server.
DepthCharge, which is deployed as a persistent backdoor, was seen on select targets starting May 2023, following “Barracuda’s announcement that RMA was the recommended response action”. The threat was identified on roughly 2.64% of the compromised appliances.
“This capability and its deployment suggests that UNC4841 anticipated and was prepared for remediation efforts with tooling and TTPs designed to enable them to persist on high value targets. It also suggests that despite this operation’s global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks,” Mandiant notes.
UNC4841 was also seen selectively deploying the Foxtrot and Foxglove malware. Foxglove is a launcher that executes Foxtrot, a backdoor written in C++ that can act as a proxy. The threat shows code similarities with Reptile shell’s source code, but implements additional backdoor commands and functionality.
Foxtrot and Foxglove, Mandiant notes, were likely designed to be deployed on Linux-based devices within compromised networks, for lateral movement and credential theft. The pair was deployed only against government or government-related organizations.
The cybersecurity firm notes that it has observed UNC4841 attempting to move laterally to Active Directory, to accounts using Outlook Web Access (OWA), and to VPNs, proxy servers, and edge appliances, via SSH. The APT also accessed a Windows Server Update Services (WSUS) server.
“Mandiant also identified accounts created by UNC4841 within the etc/passwd file on roughly five percent of the previously impacted appliances, as another form of remote access. Account names followed a consistent format, containing four randomly generated characters,” Mandiant notes.
The campaign mainly targeted governmental organizations, information technology and high-tech firms, telecommunication providers, manufacturers, and educational entities. Aerospace and defense, healthcare and biotechnology, public health, and semiconductor entities were also hit.
Many of the targeted government entities were in North America.
“Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign. These organizations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns,” Mandiant notes.
Related: CISA Analyzes Malware Used in Barracuda ESG Attacks
Related: Barracuda Urges Customers to Replace Hacked Email Security Appliances
Related: Chinese-Backed APT ‘Flax Typhoon’ Hacks Taiwan With Minimal Malware Footprint
