Cybersecurity firm Mandiant has unveiled the details of a sophisticated global espionage campaign allegedly orchestrated by a Chinese-nexus threat group known as UNC4841.
This group, believed to have connections with the People’s Republic of China, utilized a zero-day vulnerability (CVE-2023-2868) in Barracuda Email Security Gateway (ESG) appliances to infiltrate government and government-linked organizations worldwide.
Mandiant’s investigation revealed that the campaign spanned eight months, from October 2022 to June 2023. UNC4841, which was previously attributed to Chinese cyber-espionage, demonstrated high adaptability and sophistication in its attack techniques.
The campaign involved deploying several advanced malware families, including Skipjack, DepthCharge, Foxglove, Foxtrot and a new version of Seaspy (tracked as Seaspy V2). These malware families were selectively deployed based on the targets’ profiles, allowing the attackers to gather information, steal credentials and maintain backdoor access.
Writing in an advisory published on Tuesday, Mandiant said its investigation showed that most compromised organizations were governmental and high-tech entities, with North America being the primary geographic target.
The affected sectors included national governments, technology organizations, local governments, telecommunications providers, manufacturing entities and universities. Although the campaign affected only a limited number of ESG appliances worldwide (about 5%), the impact was significant due to the high-profile nature of the targeted organizations.
Read more on this flaw: New Submarine Backdoor Used in Barracuda Campaign
In response to the campaign, Barracuda released a patch for the ESG vulnerability on May 20 2023. The company, in collaboration with Mandiant, reported that the patch effectively mitigated the exploitation of the vulnerability. However, the attackers had deployed new malware versions after the patch’s release to maintain access in some high priority compromised environments.
“The ability to drop malware [...] which will allow the bad actors to maintain persistence even after the initial entry point is fixed, should be especially worrying for organizations impacted by this or using these appliances,” commented Erich Kron, security awareness advocate at KnowBe4.
“Trying to find and remediate potential back doors scattered across systems can be a very challenging issue for organizations. The fact that this zero-day had been exploited for [...] months makes chasing these things down even more challenging as many logs have rolled over or been deleted by now, making rogue installs of software harder to spot.”
Mandiant’s recommendations for affected victims include contacting Barracuda support and replacing compromised appliances.