A zero-day vulnerability in the Barracuda Email Security Gateway (ESG) discovered in late May was exploited in a Chinese espionage campaign from October 2022, according to Mandiant.
The Google-owned threat intelligence firm revealed in a new report yesterday that new threat actor UNC4841 began sending phishing emails as far back as October 10 last year.
These malicious emails contained file attachments designed to exploit the Barracuda bug CVE-2023-2868 to gain initial access to vulnerable appliances, it added.
Read more on Chinese APT activity: Cyber Warfare Escalates Amid China-Taiwan Tensions.
Once a foothold has been established, the group used Saltwater, Seaside and Seaspray malware to maintain a presence on the devices by masquerading as legitimate Barracuda ESG modules or services.
“Post initial compromise, Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances,” it continued.
“Mandiant has also observed UNC4841 deploy additional tooling to maintain presence on ESG appliances.”
Barracuda discovered the campaign on May 19 and released patches to contain and remediate the threat two days later. However, the threat group switched malware and deployed new persistence mechanisms to maintain access, Mandiant explained.
Between May 22 and 24, UNC4841 targeted victims in 16 countries with “high frequency” operations, prompting Barracuda to take the unusual step of urging customers to isolate and replace their appliances, whatever their patch status.
The security vendor was praised for its rapid response and sharing of product-specific expertise that enabled a fully-fledged investigation.
However, the threat from UNC4841 persists.
“UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations. Mandiant strongly recommends impacted Barracuda customers continue to hunt for this actor and investigate affected networks,” Mandiant concluded.
“We expect UNC4841 will continue to alter their TTPs and modify their toolkit, especially as network defenders continue to take action against this adversary and their activity is further exposed by the infosec community.”
The threat actor is assessed to be an espionage actor working to support the Chinese government. A third of its victims were government agencies, although individual targets included well-known academics in Taiwan and Hong Kong, and Asian and European government officials in South East Asia.
Editorial image credit: Ken Wolter / Shutterstock.com