A suspected pro-China threat group, UNC4841, has been identified as the perpetrator of data-theft attacks on Barracuda Email Security Gateway (ESG) appliances. The group exploited a now-patched zero-day vulnerability, CVE-2023-2868, to gain unauthorized access and steal sensitive data.

Mandiant, a leading cybersecurity firm, has tracked and linked UNC4841, a hacking group known for conducting cyber espionage attacks on behalf of the People’s Republic of China, to a series of targeted data breaches. The attacks specifically targeted Barracuda ESG appliances, leveraging a recently patched zero-day vulnerability.

According to Mandiant’s report, the threat actors initiated their operations around October 2022, utilizing the CVE-2023-2868 vulnerability to execute remote command injections within Barracuda’s email attachment scanning module. This allowed them to install previously unknown malware onto vulnerable appliances and exfiltrate sensitive data.

image

The vendor, Barracuda Networks, discovered the flaw on May 19th and promptly released a security advisory, urging affected users to apply the necessary updates. The Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert, advising U.S. Federal agencies to implement the security patches.

In an unusual move, Barracuda decided that impacted customers should replace their devices entirely rather than reimage them with new firmware. The decision was made due to the group’s sophisticated tactics, which compromised the devices at a deep level, making it difficult to guarantee their complete cleanliness.

John Palmisano, Mandiant Incident Response Manager, explained

“Due to the sophistication displayed by UNC4841 and lack of full visibility into all compromised appliances, Barracuda has elected to replace and not reimage the appliance from the recovery partition out of an abundance of caution. This strategy ensures the integrity of all devices in situations in which Barracuda is unable to ensure the recovery partition was not compromised by the threat actor.”

UNC4841 employed a multi-stage attack chain, starting with sending malicious emails containing specially crafted ‘.tar’ file attachments. These attachments, often masquerading as ‘.jpg’ or ‘.dat’ files, exploited the vulnerability in Barracuda ESG devices when scanned. The exploitation of CVE-2023-2868 enabled the threat actors to execute system commands on the affected devices, granting them remote access.

Mandiant’s report further elaborated

“It effectively amounts to unsanitized and unfiltered user-controlled input via the $f variable being executed as a system command through Perl’s qx{} routine. $f is a user-controlled variable that will contain the filenames of the archived files within a TAR. Consequently, UNC4841 was able to format TAR files in a particular manner to trigger a command injection attack that enabled them to remotely execute system commands with the privileges of the Email Security Gateway product.”

Once inside the compromised Barracuda ESG devices, UNC4841 deployed various malware families, including ‘Saltwater,’ ‘Seaspy,’ and ‘Seaside,’ to carry out their data exfiltration activities. These malwares were specifically designed to steal email data and occasionally gain further access within the victim’s network.

The hackers went to great lengths to evade detection, modifying their malware and diversifying their persistence mechanisms after Barracuda released patches. UNC4841 conducted a series of targeted attacks from May 22nd to May 24th, 2023, focusing on vulnerable devices of government agencies and prominent organizations across 16 countries.

image

To establish persistence, the threat actors utilized cron jobs and backdoored Barracuda SMTP daemon (bsmtpd) modules such as ‘Saltwater,’ ‘Seaspy,’ and ‘Seaside.’ Additionally, they employed a Linux-based module called ‘Seaspy’ to monitor SMTP commands and a tool called ‘Whirlpool’ for TLS reverse shell capabilities. The group also deployed a process-hiding technique named ‘Sandbar’ to conceal its malicious activities.

Mandiant’s analysis revealed that UNC4841 selectively targeted specific organizations, including the ASEAN Ministry of Foreign Affairs (MFAs), foreign trade offices, and academic research organizations in Taiwan and Hong Kong. These entities were subjected to focused data exfiltration, indicating the group’s specific interest in sensitive information from these regions.

Given the group’s capability to adapt and diversify their tactics, Mandiant emphasizes the need for heightened vigilance. It is recommended that all compromised Barracuda ESG appliances be replaced, irrespective of their patch level.

Indicators of Compromise (IoC)

IPs/Domains/SHA
101.229.146.218
103.146.179.101
103.27.108.62
103.77.192.13
103.77.192.88
103.93.78.142
104.156.229.226
104.223.20.222
107.148.149.156
107.148.219.227
107.148.219.53
107.148.219.54
107.148.219.55
107.148.223.196
107.173.62.158
137.175.19.25
137.175.28.251
137.175.30.36
137.175.30.86
137.175.51.147
137.175.53.17
137.175.53.170
137.175.53.218
137.175.60.252
137.175.60.253
137.175.78.66
139.84.227.9
155.94.160.72
182.239.114.135
182.239.114.254
192.74.226.142
192.74.254.229
198.2.254.219
198.2.254.220
198.2.254.221
198.2.254.222
198.2.254.223
199.247.23.80
213.156.153.34
216.238.112.82
23.224.42.29
23.224.78.130
23.224.78.131
23.224.78.132
23.224.78.133
23.224.78.134
37.9.35.217
38.54.113.205
38.54.1.82
38.60.254.165
45.63.76.67
52.23.241.105
64.176.4.234
64.176.7.59
bestfindthetruth[.]com
fessionalwork[.]com
gesturefavour[.]com
goldenunder[.]com
singamofing[.]com
singnode[.]com
togetheroffway[.]com
troublendsef[.]com
0d67f50a0bf7a3a017784146ac41ada0
42722b7d04f58dcb8bd80fe41c7ea09e
5392fb400bd671d4b185fb35a9b23fd3
ac4fb6d0bfc871be6f68bfa647fc0125
878cf1de91f3ae543fd290c31adcbda4
b601fce4181b275954e3f35b18996c92
827d507aa3bde0ef903ca5dec60cdec8
c56d7b86e59c5c737ee7537d7cf13df1
6f79ef58b354fd33824c96625590c244
349ca242bc6d2652d84146f5f91c3dbb
1fea55b7c9d13d822a64b2370d015da7
64c690f175a2d2fe38d3d7c0d0ddbb6e
4cd0f3219e98ac2e9021b06af70ed643
3b93b524db66f8bb3df8279a141734bb
8fdf3b7dc6d88594b8b5173c1aa2bc82
4ec4ceda84c580054f191caa09916c68
1b1830abaf95bd5a44aa3873df901f28
4ca4f582418b2cc0626700511a6315c0
c528b6398c86f8bdcfa3f9de7837ebfe
2d841cb153bebcfdee5c54472b017af2
c979e8651c1f40d685be2f66e8c2c610
1c042d39ca093b0e7f1412453b132076
ba7af4f98d85e5847c08cf6cefdf35dc
82eaf69de710abdc5dea7cd5cb56cf04
e80a85250263d58cc1a1dc39d6cf3942
5d6cba7909980a7b424b133fbac634ac
1bbb32610599d70397adfdaf56109ff3
4b511567cfa8dbaa32e11baf3268f074
a08a99e5224e1baf569fda816c991045
19ebfe05040a8508467f9415c8378f32
831d41ba2a0036540536c2f884d089f9
db4c48921537d67635bb210a9cb5bb52
694cdb49879f1321abb4605adf634935
5fdee67c82f5480edfa54afc5a9dc834
8fc03800c1179a18fbd58d746596fa7d
17696a438387248a12cc911fbae8620e
4c1c2db989e0e881232c7748593d291e
3e3f72f99062255d6320d5e686f0e212
7d7fd05b262342a9e8237ce14ec41c3b
2e30520f8536a27dd59eabbcb8e3532a
0245e7f9105253ecb30de301842e28e4
0c227990210e7e9d704c165abd76ebe2
c7a89a215e74104682880def469d4758
1bc5212a856f028747c062b66c3a722a
a45ca19435c2976a29300128dc410fd4
132a342273cd469a34938044e8f62482
23f4f604f1a05c4abf2ac02f976b746b
45b79949276c9cb9cf5dc72597dc1006
bef722484288e24258dd33922b1a7148
0805b523120cc2da3f71e5606255d29c
69ef9a9e8d0506d957248e983d22b0d5
3c20617f089fe5cc9ba12c43c6c072f5
76811232ede58de2faf6aca8395f8427
f6857841a255b3b4e4eded7a66438696
2ccb9759800154de817bf779a52d48f8
cd2813f0260d63ad5adf0446253c2172
177add288b289d43236d2dba33e65956
87847445f9524671022d70f2a812728f
35cf6faf442d325961935f660e2ab5a0
ce67bb99bc1e26f6cb1f968bc1b1ec21
e4e86c273a2b67a605f5d4686783e0cc
ad1dc51a66201689d442499f70b78dea
9033dc5bac76542b9b752064a56c6ee4
e52871d82de01b7e7f134c776703f696
446f3d71591afa37bbd604e2e400ae8b
666da297066a2596cacb13b3da9572bf
436587bad5e061a7e594f9971d89c468
85c5b6c408e4bdb87da6764a75008adf
407738e565b4e9dafb07b782ebcf46b0
cb0f7f216e8965f40a724bc15db7510b
19e373b13297de1783cecf856dc48eb0
881b7846f8384c12c7481b23011d8e45
f5ab04a920302931a8bd063f27b745cc
177add288b289d43236d2dba33e65956
d098fe9674b6b4cb540699c5eb452cb5