Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks

Trending 3 weeks ago

Nearly a 3rd of organizations compromised by Chinese cyberspies via a captious bug successful immoderate Barracuda Email Security Gateways were authorities units, according to Mandiant.

And, nan Google-owned squad warned, it's not complete yet: "Mandiant assesses that, astatine nan clip of writing, a constricted number of antecedently impacted victims stay astatine consequence owed to this campaign."

By that, Mandiant intends Beijing's spies not only collapsed into a comparatively mini number of organizations, via nan vulnerability CVE-2023-2868 successful Barracuda's products, they whitethorn still person entree into those networks moreover aft their victims took action to unafraid devices, by utilizing earlier planted backdoors. Mandiant continues to urge group dump and switch their at-risk Barracuda equipment.

The information outfit antecedently attributed nan attacks connected nan Barracuda-made gateways to UNC4841, a China-based espionage team. In a study published yesterday, nan researchers elaborate 3 backdoors deployed by nan spies connected compromised networks; these backdoors not only allowed nan intruders to flick astir wrong victims' environments, they're useful for maintaining persistent access.

Mandiant's investigation comes arsenic nan US goverment's Cybersecurity and Infrastructure Security Agency (CISA) released caller indicators of compromise (IOCs) associated pinch exploitation of CVE-2023-2868; these specifications are useful if you want to cheque whether you were deed by China.

UNC4841 deployed caller and caller malware designed to support beingness astatine a mini subset of precocious privilege targets

The latest CISA database follows an earlier analysis by Uncle Sam of UNC4841's Barracuda backdoors, and previous IOCs linked to nan bug's exploitation.

CVE-2023-2868 is simply a distant bid injection vulnerability affecting Barracuda ESG appliances versions to UNC4841 exploited this vulnerability arsenic a zero-day flaw arsenic early arsenic October 2022, and nan spread wasn't discovered and patched until May 2023. But by past nan spies had already installed backdoors — some of them ne'er seen earlier — successful victims' networks, which allowed nan intruders to support power and persistence moreover aft nan flaw had been fixed and patches deployed.

This prompted nan vendor successful early June to urge customers rip and replace each of their ESG appliances, moreover if they've been patched, pinch Barracuda footing nan measure for nan caller non-buggy kit.

On Friday nan FBI confirmed what Mandiant had already said: snoops linked to China were astir apt down nan attacks.

In a heavy dive published this week, Mandiant said moreover aft Barracuda patched nan vulnerability, nan spies showed "sophistication and adaptability successful consequence to remediation efforts," and apt created their post-intrusion package devices successful advance, to usage against high-value target organizations' networks.

"Specifically, UNC4841 deployed caller and caller malware designed to support beingness astatine a mini subset of precocious privilege targets that it compromised either earlier nan spot was released, aliases soon pursuing Barracuda's remediation guidance," Mandiant's latest research concluded.

UNC4841's prey

Overall, only astir 5 percent of ESG appliances worldwide were compromised, according to Mandiant. Organizations successful nan US and Canada were deed nan most, though this could beryllium owed to nan vendor's customer base, and almost a 3rd (27 percent) of these were authorities agencies, compared to 73 percent of world victims that were private-sector organizations crossed each industries.

"Notably, among North American identified affected organizations, location were galore state, provincial, county, tribal, city, and municipality offices that were targeted successful this campaign," Mandiant's Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, and Michael Raggi wrote. "While wide section authorities targeting comprises conscionable nether 7 percent of each identified affected organizations, this statistic increases to astir seventeen percent erstwhile compared to US-based targeting alone."

Since Barracuda released a spot for CVE-2023-2868, however, section governments now dress up only 8 percent of nan observed impacted organizations, we're told.

"This diminution whitethorn correspond an evolving operational privilege for UNC4841 complete nan long of sustained threat activity," Mandiant noted.

Regional IT providers successful some nan US and Europe were basking first targets for UNC4841 during which nan spies exploited nan bug to deploy 3 backdoors, Saltwater, Seaspy, and Seaside, connected nan appliances.

But aft dropping nan sea-themed malware connected nan IT providers' ESGs, UNC4841 didn't do thing else. "A imaginable conclusion of these 3 malware families being observed successful isolation is adversaries person not yet prioritized nan infected appliances for further discuss and deployment of later shape devices attributed to UNC4841," Mandiant said.

Mandiant discussed these 3 malware families successful research published successful June.

But wait, there's much backdoors

In its latest write-up, nan threat intel squad elaborate a second, "previously undisclosed wave" of attacks opening successful early June — astir nan clip that Barracuda told customers to "immediately" switch infected ESG products.

"In this 2nd wave, Mandiant discovered nan character attempting to support entree to compromised environments via nan deployment of nan caller malware families Skipjack, Depthcharge, and Foxtrot / Foxglove," nan study stated. 

"This 2nd surge represented nan highest strength of UNC4841 activity identified by Mandiant crossed nan full campaign, demonstrating UNC4841's determination successful preserving entree to circumstantial unfortunate environments," it added.

Of nan 3 backdoors deployed successful this 2nd surge, Skipjack was nan astir wide utilized and Mandiant observed it connected astir 5.8 percent of each compromised ESG appliances. The snoops chiefly targeted authorities and tech organizations pinch nan Skipjack malware.

It trojanizes morganatic Barracuda ESG modules, injects malicious code, and "establishes its backdoor capabilities by registering a listener for circumstantial incoming email headers and subjects, and past decoding and executing nan contented of them," Madniant said.

  • FBI: Who was going astir hijacking Barracuda email boxes? China, probably
  • Chinese spies blamed for data-harvesting raids connected Barracuda email gateways
  • Taiwanese infosec researchers situation Microsoft's China espionage finding
  • Meta reckons China's troll farms could study due OpSec from Russia's clone news crews

The 2nd backdoor, which Mandiant named Depthcharge and CISA tracks arsenic Submarine, was designed to infect new, cleanable devices erstwhile nan unfortunate orgs restored backup configurations from their antecedently compromised appliances.

Both of these were designed specifically for Barracuda ESGs.

The 3rd malware, Foxtrot and Foxglove, wasn't designed expressly for Barracuda ESGs. Mandiant says it only observed this backdoor being utilized connected authorities aliases government-related devices astatine high-priority targets.

Mandiant recommends organizations proceed to hunt for activity connected their networks that could bespeak nan beingness of UNC4841 arsenic nan ongoing investigation has shown nan cyberspies to beryllium "highly responsive to protect efforts," modifying their strategies "continue their espionage operation." ®