securityaffairs.com
Open in
urlscan Pro
2606:4700:3031::6815:90b
Public Scan
URL:
https://securityaffairs.com/147511/apt/barracuda-esg-zero-day-china-apt.html
Submission: On June 16 via api from TR — Scanned from DE
Submission: On June 16 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchform — GET https://securityaffairs.com/
<form role="search" method="get" name="searchform" id="searchform" action="https://securityaffairs.com/">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
<button type="submit">
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>Text Content
WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences at any time by returning to this site or visit our privacy policy. MORE OPTIONSAGREE Ad * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me MUST READ Headlines * Barracuda ESG zero-day exploited by China-linked APT * Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine * Cybersecurity agencies published a joint LockBit ransomware advisory * Microsoft links Cadet Blizzard APT to Russia's military intelligence GRU * Critical flaw found in WooCommerce Stripe Gateway Plugin used by +900K sites * Unveiling the Balada injector: a malware epidemic in WordPress Ad * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me BARRACUDA ESG ZERO-DAY EXPLOITED BY CHINA-LINKED APT June 15, 2023 By Pierluigi Paganini EXPERTS LINKED THE UNC4841 THREAT ACTOR BEHIND THE ATTACKS EXPLOITING THE RECENTLY PATCHED BARRACUDA ESG ZERO-DAY TO CHINA. Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China. “Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” reads the report published by Mandiant. “Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.” 00:00/00:00 At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability. The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21. The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses. The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue. The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted. On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers. As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least. “Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” reads the update provided by the company. Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access. The company confirmed that the CVE-2023-2868 was first exploited in October 2022. The families of malware employed in the attacks are: * SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary. * SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”. * SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server. Last week the company published a new statement urging customers to immediately replace the ESG appliances, regardless of patch version level. “Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).” urges the company. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.” On May 28, US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog. According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances. Once compromised the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances. “Observed emails contained generic email subject and body content, usually with poor grammar and in some cases still containing placeholder values.” continues the report. “Mandiant assesses UNC4841 likely crafted the body and subject of the message to appear as generic spam in order to be flagged by spam filters or dissuade security analysts from performing a full investigation. Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past.” Mandiant researchers also reported that the UNC4841 used a rootkit dubbed SandBar, which was in the form of a trojanized network file system kernel module for linux (nfsd_stub.ko). The rootkit relies on hooks to hide processes that begin with a specified name. “SANDBAR hides the process ID from being displayed when the /proc filesystem is queried. SANDBAR hooks the “iterate_shared” routine of the “file_operations” structure for the /proc filesystem and the subsequent “filldir” callback to hide the process. It appears to be adapted from publicly available rootkit code.” continues the report. The group also used trojanized versions of several legitimate Barracuda LUA modules, which contain the code to perform various operations when certain email-related events are received by the appliance. The experts analyzed three trojanized modules that were grouped in two different malware families: SEASPRAY and SKIPJACK. Most of the attacks observed by Mandiant targeted Americas (55%), followed by EMEA (24%), and APAC (22%). Almost one out of three affected organizations were government agencies, a circumstance that suggests that the attacks were carried out as part of a cyber espionage campaign. “Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China. While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation.” concludes the report. “Additionally, the targeting, both at the organizational and individual account levels, focused on issues that are high policy priorities for the PRC, particularly in the Asia Pacific region including Taiwan.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Barracuda ESG) SHARE THIS: * Email * Twitter * Print * LinkedIn * Facebook * More * * Tumblr * Pocket * BarracudaChinacyber espionageESGHackinghacking newsinformation security newsIT Information SecurityPierluigi PaganiniSecurity AffairsSecurity News -------------------------------------------------------------------------------- SHARE ON * * * * * * * PIERLUIGI PAGANINI Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. -------------------------------------------------------------------------------- PREVIOUS ARTICLE Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine -------------------------------------------------------------------------------- YOU MIGHT ALSO LIKE RUSSIA-LINKED APT GAMAREDON UPDATE TTPS IN RECENT ATTACKS AGAINST UKRAINE June 15, 2023 By Pierluigi Paganini CYBERSECURITY AGENCIES PUBLISHED A JOINT LOCKBIT RANSOMWARE ADVISORY June 15, 2023 By Pierluigi Paganini * Ad * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES * Ad * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN CYBERSECURITY BLOGGER AWARDS More Story RUSSIA-LINKED APT GAMAREDON UPDATE TTPS IN RECENT ATTACKS AGAINST UKRAINE Russia-linked APT group Gamaredon is using a new toolset in attacks aimed at critical organizations in Ukraine. The Gamaredon... Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie SettingsAccept All Manage consent Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT Go to mobile version