weerapat1003 - stock.adobe.com

Zero-day that forced Barracuda users to bin kit was exploited by China

Mandiant has published details of how a Chinese threat actor targeted high-profile users of Barracuda Networks' Email Security Gateway appliances, including government agencies of interest to Beijing's intelligence goals

Google Cloud’s Mandiant and Barracuda Networks have confirmed that a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances was heavily exploited by suspected Chinese state hackers – tracked as UNC4841 – in a months-long campaign targeting government bodies, mostly in the US and Canada, although a number of UK victims were observed.

The existence of CVE-2023-2868 was first disclosed in May 2023, although it had been being exploited since late 2022. A patch for CVE-2023-2868 dropped on 20 May, and was later determined to be ineffective, prompting Barracuda to advise affected organisations to throw away vulnerable appliances and seek a replacement.

However, Barracuda and Mandiant claim that in spite of the confusion they had observed no re-exploitation of CVE-2023-2868 on any of the affected appliances since then, although the FBI last week issued a flash alert warning that many appliances were still at risk – a fact that has now been additionally confirmed in a new Mandiant write-up summarising elements of the investigation.

In its paper, Mandiant revealed more insight into the highly targeted campaign, demonstrating how UNC4841’s sophisticated and highly-adaptive campaign was able to disrupt mitigation efforts, and how new and novel malwares helped Beijing’s spies maintain access at a small subset of high-value targets despite the patch being rolled out.

“It’s become clear we are contending with a formidable adversary that boasts vast resources, funding and the technical capability to successfully execute global espionage campaigns at scale. China-nexus espionage actors are improving their operations to become more stealthy, effective and impactful,” said Mandiant senior incident response consultant Austin Larsen.

What is CVE-2023-2868?

CVE-2023-2868 is a remote command injection vulnerability present in a limited subset of physical Barracuda ESG appliances, versions 5.1.3.001 to 9.2.0.006, approximately 5% of the total installed base. If successfully exploited, it grants an attacker the ability to achieve remote code execution (RCE) with elevated privileges.

Since May, Mandiant has been in hot pursuit of UNC4841, and has compiled an exhaustive timeline of the threat actor’s activity during the campaign, from the initial surge of activity in November 2022 through to a surge in May 2023 when the patch was issued, and then another, previously undisclosed wave in June 2023.

In the second wave, Mandiant said it discovered UNC4841 attempting to maintain its access to the compromised environments that it deemed most valuable through three newly identified malwares dubbed Skipjack, Depthcharge, Foxtrot and Foxglove. The first three of these are all backdoors, while Foxglove acts as a launcher for Foxtrot.

A little over 15% of observed victims were national government bodies, and just over 10% were local government bodies, said Mandiant. The campaign also heavily targeted high tech and IT companies, and organistions operating in the telecoms, manufacturing, higher education and aerospace and defence sectors – all verticals in which the Chinese state has shown an interest. The victims on whose systems the backdoor malwares were detected skewed heavily towards government, high tech and IT organisations.

Mandiant said it was confident that UNC4841 was conducting espionage operations for the Chinese state. It added that it has not been possible to link the campaign to any other previously known threat actor, although there are some infrastructure overlaps with another group known as UNC2286; and another campaign targeting Fortinet appliances seems to be running in a similar fashion with similar malwares. This does not necessarily indicate a firm connection; shared infrastructure and techniques are common across China-nexus threat actors.

“Over the course of the investigation, UNC4841 has proven to be highly responsive to defensive efforts and has actively modified TTPs to maintain access within victim environments to continue their espionage operation,” wrote Larsen and the report’s co-authors, John Palmisano, John Wolfram, Mathew Potaczek and Michael Raggi.

“Mandiant strongly recommends impacted Barracuda customers continue to hunt for UNC4841 activity within networks impacted by a compromised ESG. Due to their demonstrated sophistication and proven desire to maintain access, Mandiant expects UNC4841 to continue to alter their TTPs and modify their toolkit as network defenders continue to take action against this adversary, and their activity is further exposed by the security community. Mandiant anticipates UNC4841 will continue to edge devices in the future,” they said.

Timeline of CVE-2023-2868

  • 23/4 May 2023: Barracuda Networks said threat actors exploited the zero-day to gain ‘unauthorised access to a subset of email gateway appliances’, though it did not say how many.
  • 31 May: Barracuda said a zero-day flaw used to target its email security gateway appliance customers is a remote command injection vulnerability exploited since at least October 2022.
  • 9 June: Owners of Barracuda Email Security Gateway appliances are being told that they will need to throw out and replace their kit after it emerged that a patch for a recently disclosed vulnerability had not done the job.
  • 15 June: Intelligence from Mandiant links exploitation of a flaw in a subset of Barracuda ESG appliances to a previously untracked China-nexus threat actor.
  • 28 July: CISA said that that 'Submarine' is a novel persistent backdoor used in attacks against Barracuda Email Security Gateway appliances vulnerable to CVE-2023-2868.
  • 24 August: FBI alert comes after Barracuda Networks issued an advisory stating that patches for CVE-2023-2868 were insufficient and all affected ESG devices need to be replaced.

Read more on Data breach incident management and recovery