Some already compromised Barracuda Networks ESG email gateways remain vulnerable to continued exposure despite users being warned to replace the appliances, say researchers at Mandiant.
In a report released this morning, the company says a limited number of previously impacted victims remain at risk due to a campaign of attacks by a China-aligned espionage group it calls UNC4841 exploiting a remote command injection vulnerability (CVE-2023-2868).
Compromised gateways that had malware and a backdoor to maintain persistence are in so much trouble that Barracuda, the U.S. Cybersecurity and Infrastructure Security, and the FBI have been urging network administrators to get rid of the devices rather than patch them.
The gang’s global espionage campaign began eight months ago, says the report. The U.S. and Canada were the biggest targets, followed by China, Germany, the Netherlands, Poland, Japan, and Vietnam.
Almost a third of the identified affected organizations are government agencies. The second highest sector are firms in the high-tech and IT industries.
North American affected organizations included state, provincial, county, tribal, city, and town offices, including law enforcement offices, judiciaries, and social service offices, and several incorporated towns.
But also hit were firms in the semiconductor, public health, aerospace, artificial intelligence/autonomous vehicle, and rare earth metal production sectors.
A sign of how determined this threat actor is: after Barracuda’s May 23 announcement of the vulnerability, it deployed new malware. Mandiant calls these malware families Skipjack (a passive backdoor for listening to communications), DepthCharge (a backdoor called Submarine by the U.S. Cybersecurity and Infrastructure Security Agency), Foxglove (a malware launcher), Foxtrot (the accompanying payload that, among other things, can capture keystrokes) and a version two of SeaSpy (a passive backdoor). The goal was to maintain presence at a small subset of high-priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance.
However, the report says, since Barracuda released a patch to ESG appliances on May 20, Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances.
Only five per cent of all installed ESG were compromised. No other Barracuda products, including Barracuda’s SaaS email solutions, were impacted by this vulnerability.
Mandiant believes UNC4841 was likely utilizing the contents of messages stored within the mstore, a temporary storage location on the ESG appliances, to harvest credentials. Several times Mandiant identified cleartext credentials contained within the contents of messages stored on the ESG that UNC4841 subsequently used to successfully access the account through Outlook Web Access (OWA) on the first attempt.
In more than one case, the report says, Mandiant saw the hacker utilizing OWA to attempt to log in to mailboxes for users within the victim organization. In one case, a relatively low number of unsuccessful OWA access attempts resulted in the lockout of a limited number of accounts. In the cases where UNC4841 was able to obtain unauthorized access to a limited number of accounts, Mandiant did not see UNC4841 send any email from the compromised account.
Mandiant believes the attacker was likely attempting to maintain access to compromised users’ mailboxes to gather information for espionage purposes after ESG devices were patched.
In addition to attempts to move laterally to Active Directory and OWA, Mandiant also saw attempts by UNC4841 to move laterally via SSH to VPNs, Proxy Servers, and other edge appliances on the victims’ network.
Sometimes the attacker could create accounts on ESG appliances as another form of remote access. The actor would then spawn an ssh daemon process to listen on a specific high port and allow login from this newly created user account as another means to maintain backdoor access to compromised appliances.
Mandiant believes UNC4841 will continue to target edge devices.