peterschreiber.media - stock.ado

China’s UNC4841 pivots to new Barracuda ESG zero-day

The Chinese state threat actor behind a series of cyber attacks on Barracuda Networks customers embarked on a campaign targeting the supplier’s email security products in the run-up to Christmas

The Chinese state threat actor tracked as UNC4841 that last year attacked users of Barracuda Networks’ Email Security Gateway (ESG) appliances through a remote code execution (RCE) vulnerability has been back in action, exploiting a newly disclosed zero-day to target high-profile Barracuda customers.

Barracuda officially disclosed the vulnerability on Christmas Eve, three days after it had deployed an update to all active ESG appliances, but not before UNC4841 had exploited it to deliver new variants of its Seaspy and Saltwater malwares to a “limited number” of devices.

The vulnerability in question, CVE-2023-7102, is an arbitrary code execution (ACE) flaw in the Spreadsheet::ParseExcel open source library, a Perl module that is in turn used by the open source Amavis virus scanner, which runs on ESG appliances.

Speaking to Computer Weekly sister title TechTarget Security on 28 December 2023, Mandiant senior incident response consultant Austin Larsen, who has worked extensively with Barracuda since the May 2023 disclosures, said: “Mandiant believes this campaign was initiated on our about 30 November 2023 as part of UNC4841’s ongoing espionage operations.

“Barracuda responded promptly by deploying updates to remediate the vulnerability and the ESG appliances that may have been compromised by the newly identified malware variants,” he said.

According to Mandiant, the vulnerability can be easily exploited if the target receives an email with a specially crafted Excel attachment. When the Barracuda ESG appliance scans this inbound email, the code executes without any input from the user, which makes it particularly dangerous.

Barracuda said that given the update was deployed automatically, its customers do not need to take any further action.

Second designation

However, the story does not end there. Given that the vulnerable Perl module is used by others in a wider context, the ACE flaw has also been assigned a second designation, CVE-2023-7101.

“This Perl module is used to parse Excel files,” said Mike Walters, president and co-founder of Action1, a patch management specialist. “The vulnerability in Spreadsheet::ParseExcel is caused by passing unverified input data from a file to the “eval” function with a string type.

“Specifically, the issue is related to the evaluation of numeric format strings in Excel’s parsing logic,” he said.

“Organisations using Spreadsheet::ParseExcel in their solutions are urged to investigate CVE-2023-7101 and take necessary remediation steps immediately. Regarding the new campaign by this known actor, experts believe that the APT still possesses more zero-days, which will be used cautiously in attacks against large targets.”

Multi-year campaign

UNC4841’s interest in Barracuda Networks’ products dates back over a year at this point, with its initial activity around CVE-2023-2868 starting in October 2022, with an initial surge in victim numbers at the beginning of November. Subsequent waves of activity have followed since the May 2023 disclosure, reaching its highest intensity in June.

The group is described as a “well-resourced” operation with a variety of malware families designed to be selectively deployed at high-priority targets around the world, the majority of them in the US and Canada, although high numbers of intrusions have also been seen in Belgium, Germany, Japan, Malaysia, Poland, Taiwan and Vietnam. A smaller number of victims was found in the UK.

Verticals of interest to the group include government and public sector bodies, high-tech and IT operations, telcos, manufacturing and educational institutions, all targets that are generally considered of high value to the Chinese state.

Larsen said that UNC4841 has shown itself to be highly responsive to defensive efforts, and actively modifies its tactics, techniques and procedures (TTPs) post-compromise to maintain access to victim environments.

Given this, it’s strongly recommended that even though they have been patched for nearly a fortnight, all Barracuda customers should continue to monitor for UNC4841’s presence in their networks, as the group is likely altering and modifying its TTPs even now, and is likely to continue to seek out new flaws in edge appliances going forward.

Timeline of UNC4841’s Barracuda campaign

23-24 May 2023: Barracuda Networks said threat actors exploited the zero-day to gain “unauthorised access to a subset of email gateway appliances”, though it did not say how many.

31 May: Barracuda said a zero-day flaw used to target its email security gateway appliance customers is a remote command injection vulnerability exploited since at least October 2022.

9 June: Owners of Barracuda Email Security Gateway appliances were told they would need to throw out and replace their kit after it emerged that a patch for a recently disclosed vulnerability had not done the job.

15 June: Intelligence from Mandiant linked exploitation of a flaw in a subset of Barracuda ESG appliances to a previously untracked China-nexus threat actor.

28 July: CISA described a novel persistent backdoor – Submarine – used in attacks against Barracuda Email Security Gateway appliances vulnerable to CVE-2023-2868.

24 August: The FBI issued a new alert after Barracuda Networks issued an advisory stating that patches for CVE-2023-2868 were insufficient and all affected ESG devices need to be replaced.

29 August: Mandiant published details of how UNC4841 targeted high-profile users of Barracuda Networks’ Email Security Gateway appliances, including government agencies of interest to Beijing’s intelligence goals.

Read more on Hackers and cybercrime prevention