A threat actor with suspected links to China has been targeting a recently disclosed zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances, in what Mandiant researchers call the broadest espionage campaign known to be conducted by a China-nexus threat actor since the 2021 mass exploitation of Microsoft Exchange.
After Barracuda initially shipped a series of patches in May for the remote command injection vulnerability (CVE-2023-2868) in some versions of its ESG appliance, the company said that the vulnerability had been exploited in the wild for eight months and urged certain impacted customers to replace their ESG appliances.
In a new Thursday analysis, Mandiant, which assisted in the incident response, offered new details around the threat actor behind the attacks. The group, UNC4841, has not been linked to a previously known threat group at this time and researchers assess with high confidence that it is an espionage actor in support of the People’s Republic of China.
According to the analysis, the threat group’s operations have targeted victims worldwide, with a majority of attacks appearing to impact the Americas (though Mandiant noted that “may partially reflect Barracuda’s product customer base”). Additionally, around one-third of the impacted organizations were government agencies, including the Ministry of Foreign Affairs (MFAs) of ASEAN, and foreign trade offices and academic research organizations in various locations, such as Hong Kong.
“Post initial compromise, Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other appliances,” said Mandiant researchers on Thursday. “Mandiant has also observed UNC4841 deploy additional tooling to maintain presence on ESG appliances.”
UNC4841 started to send emails to victim organizations as early as Oct. 10, which contained crafted TAR file attachments that were developed to exploit CVE-2023-2868. In some cases, these emails were also sent from email addresses belonging to other organizations with compromised appliances.
“Mandiant expects UNC4841 will continue to alter their TTPs and modify their toolkit, especially as network defenders continue to take action against this adversary and their activity is further exposed by the infosec community."
These emails contained generic lures with poor grammar and, in some cases, placeholder values; however, researchers believe that the attackers likely did this on purpose in order to disguise the messages as generic spam. This tactic, which has previously been used by sophisticated threat groups, means the messages will be flagged as spam and is an effort to dissuade security analysts from investigating them.
As was previously disclosed in Barracuda’s security advisory, researchers found that UNC4841 deployed a variety of custom malware families to maintain persistence on impacted ESG appliances. These included a backdoor called Saltwater with components enabling attackers to upload or download arbitrary files and execute commands; a malware family called Seaside that monitors SMTP commands for a command-and-control (C2) IP address and port, which it then passes on to an external binary that creates a reverse shell; and a backdoor called Seaspy that has code that overlaps with the known, publicly available backdoor cd00r.
In addition to these previously highlighted custom families, researchers on Thursday revealed more malware modules used post-compromise by the attackers, including Seaspray, a trojanized Barracuda email security gateway module that executes an external binary (called Whirlpool) upon registering an email filename attachment with a special value, which then establishes a reverse shell. Researchers also uncovered a passive backdoor called Skipjack that acts as a trojanized version of the Barracuda email security gateway; and a rootkit called Sandbar, which is a trojanized network file system kernel module for Linux that hides processes that start with a specific name.
The threat actors tweaked these malware families, along with their TTPs, on a rolling basis and in response to Barracuda’s efforts to contain and remediate the attacks. For instance, when Barracuda released an initial remediation script, UNC4841 made rapid modifications to components related to Seaspy and Saltwater in order to prevent effective patching, said Mandiant.
“Between May 22, 2023 and May 24, 2023, UNC4841 conducted high frequency operations on a number of victims located in at least 16 different countries; modifying 7 components of SEASPY and at least 2 components of SALTWATER,” said Mandiant researchers.
While Mandiant researchers said they have not yet attributed the activity to a previously known threat group, they found several overlaps in infrastructure and malware code that gave them a high degree of confidence that UNC4841 is a China-nexus espionage operation. Researchers strongly recommend that impacted customers continue to hunt for the threat actor and investigate their networks, given that the group is highly responsive to defense efforts.
“Mandiant expects UNC4841 will continue to alter their TTPs and modify their toolkit, especially as network defenders continue to take action against this adversary and their activity is further exposed by the infosec community,” said researchers.