Source: SecurityWeek
Summary
Recent attacks exploiting a zero-day vulnerability in a Barracuda Networks email security appliance have been attributed to UNC4841, believed to be a Chinese state-sponsored cyber actor. The zero-day vulnerability exploited in the campaign, designated CVE-2023-2868, affects Barracuda’s Email Security Gateway (ESG) versions 5.1.3.001 through 9.2.0.006. Threat actors can achieve remote command injection by sending an email containing a specially crafted TAR file as an attachment. The TAR file allows UNC4841 to establish a reverse shell, after which a custom backdoor is downloaded to the device. The weaponized emails are poorly written and likely designed to be caught by the recipient’s spam filter to go unnoticed.
After Barracuda released a patch for affected systems, UNC4841 quickly modified its malware to deploy additional persistence mechanisms to bypass the patch. UNC4841 was observed exfiltrating email-related data from victims, including European and Asian government officials in Southeast Asia, as well as high-profile academics in Hong Kong and Taiwan. Other targets included the Ministry of Foreign Affairs of the Association of Southeast Asian Nations (ASEAN), foreign trade offices, and academic research organizations.
Analysis
The quick modification of malware in response to patches indicates a highly motivated and technically sophisticated actor is behind this activity. Furthermore, the targeted entities would be of considerable interest to the Chinese Government and align with its current intelligence requirements. UNC4841 has likely been able to glean valuable information from the compromised targets and is thus devoting considerable time and effort to keep this campaign active as long as possible.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Barracuda Networks Email Scanning Gateway. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that organizations review the advisory issued by Barracuda and follow the mitigation steps included therein.
References