Chinese Hackers Exploit Barracuda ESG Zero-Day

Chinese hackers in a state-run cyberespionage operation compromised hundreds of organizations through a zero-day vulnerability in a popular email security appliance, warned cyber threat intelligence firm Mandiant.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

The campaign is the broadest Chinese cyber spying campaign in years, the company said, calling its assessment of a Beijing link a “high confidence” judgment.

Hackers used a zero-day vulnerability in Barracuda Networks Email Security Gateway appliances they began exploiting in October, and possibly earlier. Barracuda Networks issued its first security patch on May 20 after detecting the hackers on May 19.

The appliance company urged a subset of customers earlier this month to immediately replace their equipment regardless of whether they had applied the patch. Even with the fix, already-hacked appliances continued to show signs of infection. A company spokesperson in a Thursday email to Information Security Media Group said approximately 5% of active ESG appliances worldwide as of June 8 have shown evidence of known indicators of compromise (see: Breach Roundup: Barracuda Networks Recalls Hacked Appliances).

Mandiant isn’t attributing the campaign to a previously known Chinese threat actor, assigning it the moniker of UNC4841. Among the indicators pointing to its Chinese origin are infrastructure and malware code overlaps with other Beijing threat actors. “China-nexus cyber espionage operations often share tools and infrastructure,” Mandiant said.

The hackers’ capacity for lateral movement means they may still lurk inside victims’ networks, Mandiant warned. The zero-day was a remote command injection zero-day vulnerability tracked as CVE-2023-2868.

Known targets included a ministry of foreign affairs in a Southeast Asian country, as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong. Hackers searched for email accounts belonging to officials whose government had been engaged in high-level diplomatic meetings with other countries.

A slim majority of hacked appliances appeared to be in the Americas, although that may be a reflection of Barracuda’s customer base.

Hackers gained initial access through emails that contained malicious .tar attachments. The emails observed by Mandiant were not specially crafted phishing emails. Rather, they “contained generic email subject and body lures, usually with poor grammar and in some cases still containing placeholder values” in what appears to be a deliberate attempt to have the emails flagged by spam filters or to discourage security analysts from performing a full investigation.

Hackers triggered the remote command injection by placing it into the filename of one of the tarball files. The actual content of the files was unimportant, since the maliciously crafted filename itself triggered the hack.

Mandiant and Barracuda identified three primary backdoors used by the hackers, whom they dub SeaSpy, Saltwater and Seaside. SeaSpy is the primary backdoor. Chinese hackers reacted to Barracuda’s patch by modifying SeaSpy and deploying it with new file names, Mandiant says – a warning that UNC4841 is changing its methods in real time and will likely continue to do so as defenders seek to root them out.