The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”.
Impacting Barracuda ESG versions 5.1.3.001 to 9.2.0.006, the security defect, tracked as CVE-2023-2868, has been exploited as a zero-day since at least October 2022, and continues to be targeted in attacks. Barracuda released patches for the bug in late May 2023.
In June, Mandiant attributed the attacks targeting CVE-2023-2868 to a Chinese state-sponsored cyberespionage group tracked as UNC4841. Starting in July, CISA has published several analysis reports detailing the payloads and malware families used in the attacks.
Now, the FBI warns (PDF) that the flaw is still being targeted in the wild, and that even ESG appliances running the patches released by Barracuda “remain at risk for continued computer network compromise from suspected [Chinese] cyber actors exploiting this vulnerability”.
“The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” the agency notes.
Because the vulnerability impacts the email scanning functionality of Barracuda ESG, adversaries can exploit it by sending emails containing crafted TAR file attachments that would trigger a command injection in the context of the appliance.
As part of the observed attacks, the threat actors deployed various types of malware on the affected ESG appliances, allowing them to scan emails, harvest credentials, exfiltrate data, and maintain persistent access.
In some cases, the FBI says, the adversaries leveraged the compromised ESG for lateral movement into the victim’s network, or to send malicious emails to other appliances.
“The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit,” the agency notes.
The FBI says that only scanning the appliance itself for indicators of compromise (IoCs) is not enough to identify potential intrusions and advises organizations to also scan for outgoing connections, review email logs, rotate credentials, revoke and reissue associated certificates, review network logs, and monitor the entire network for abnormal activity.
In an emailed comment, Mandiant CEO Kevin Mandia confirmed that UNC4841 has shifted tactics since the initial report on this activity.
“Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide,” Mandia said.
“These types of attacks underscore a major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations,” he added.