Chinese Hackers Still Exploiting Barracuda ESG Flaw: Mandiant
A highly adaptable China-linked threat group that was exploiting a zero-day flaw in Barracuda Networks devices before the vendor patched the vulnerability in May is using new malicious tools to maintain a presence in many of the compromised appliances.
The cyberthreat gang, UNC4841, for eight months abused the remote command injection vulnerability – tracked as CVE-2023-2868 – to compromise versions of Barracuda’s Email Security Gateway (ESG) systems for espionage operations that targeted national and local government entities in the United States and elsewhere as well as private companies in high tech and IT, telecommunications, manufacturing, universities, and other vectors, according to Mandiant researchers.
Almost a third of the victims were government agencies, the researchers wrote in a report this week.
Since Barracuda released the vulnerability fix three months ago, neither the networking and security tech vendor nor Mandiant have seen the flaw exploited to compromise any physical or virtual ESG appliances, they wrote. However, the hackers are deploying new malware to maintain a presence in some of the systems that they already had compromised.
“A limited number of previously impacted victims remain at risk due to this campaign,” the researchers wrote, noting a spike in activity in the campaign in June, the second such jump since right after the vulnerability fix was released by Barracuda. “In this second wave, Mandiant discovered the actor attempting to maintain access to compromised environments via the deployment of new malware families.”
Enter SkipJack, DepthCharge, FoxGlove, and FoxTrot
The malware includes SkipJack, a passive backdoor that drops malicious Lua script into Barracuda ESG appliances and DepthCharge (which is tracked by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, as Submarine), another passive backdoor that decrypts legitimate encrypted commands via OpenSSL and sends information to the command-and-control (C2) server.
UNC4841 also is using the FoxGlove launcher to essentially pave the way for FoxTrot, which is written in C++ and can be used as a proxy to capture keystrokes, create reverse shells, execute shell commands, and transfer files.
FoxTrot was the most widely used of the three malware families run by UNC4841 – it was seen on about 5.8% of compromised ESG appliances – while FoxGlove and FoxTrot not specifically designed to infect Barracuda’s ESGs, the researchers wrote.
Attacks on Barracuda customers exploiting the zero-day flaw began in October 2022, with Google-owned Mandiant, CISA, and FBI later attributing the attacks to the threat group. Barracuda disclosed the flaw in May and issued a patch, but the attackers continued their assault on the appliances already compromised.
The vendor on June 6 issued an “action notice” urging users to replaced all compromised ESG appliances.
Heed the Warning and Replace the Appliances
Since then, Barracuda has continued to hit on the message of replacing such appliances – with the latest reminder coming this week – and Mandiant has released two reports, including the most recent one this week. CISA earlier this month issued its latest analysis of the Barracuda backdoors and this week published additions to the know indicators of compromise (IoCs) connected to CVE-2023-2868.
The FBI last week ran out its own advisory that UNC4841 – which the agency said is supported by the Chinese government – was continuing to exploit the Barracuda vulnerability.
“The cyber actors exploited this vulnerability in a significant number of ESG appliances and injected multiple malicious payloads that enabled persistent access, email scanning, credential harvesting, and data exfiltration,” the FBI wrote. “In many cases, the cyber actors obfuscated their actions with counter-forensic techniques, making detection of compromise difficult through only scanning the appliance itself for indicators of compromise.”
Organizations need to scan network logs to find connections to any of the listed IoCs, the agency wrote.
The Links to the Chinese Government
The Mandiant researchers said they’ve found that the infrastructure used by UNC4841 overlaps with that of another Chinese threat group, UNC2268. In addition, another espionage-focused China-based group, UNC3886, uses custom malware that – similar to FoxTrot – is based on modified Reptile source code. There also are other code overlaps with known Chinese groups.
“Shared infrastructure and techniques for anonymization are common amongst Chinese cyber espionage actors, as is shared tooling and likely malware development resources,” they wrote, adding that “these observations are evidence of the higher level trends we have observed in Chinese cyber espionage and the evolution toward more purposeful, stealthy, and effective operations that avoid detection and complicate attribution.”
It’s likely Chinese espionage operations will continue targeting edge infrastructure via zero-day vulnerabilities and the use of malware customized to specific appliances, they wrote.
