Cyber Security Threat Summary:
The hacking group UNC4841 has been connected to data theft incidents targeting Barracuda ESG appliances. These attacks exploited a zero-day vulnerability, CVE-2023-2868, which allowed remote command injection in Barracuda’s email attachment scanning module. The vendor became aware of the vulnerability on May 19th and promptly disclosed the exploitation. CISA issued an alert urging the U.S Federal agencies to apply the necessary security updates. Barracuda took the decision earlier this month to offer affected customers free device replacements instead of reimaging them with new firmware. This unusual request sparked speculation that the thread actors had compromised the devices at a deep level, raising concerns about the possibility of ensuring the devices were completely clean.

“Today, Mandiant reveals that the threat actor responsible for this exploitation is UNC4841, a hacking group known for conducting cyber espionage attacks in support of the People's Republic of China. The attacks start with the threat actors sending emails containing malicious '.tar' file attachments (also TAR files masquerading as s' .jpg' or '.dat' files) that exploit vulnerable ESG devices. When the Barracuda Email Security Gateway attempts to scan the file, the attachment exploits the CVE-2023-2868 flaw to perform remote code execution on the device. "It effectively amounts to unsanitized and unfiltered user-controlled input via the $f variable being executed as a system command through Perl's qx{} routine. $f is a user-controlled variable that will contain the filenames of the archived files within a TAR," explains Mandiant's report. "Consequently, UNC4841 was able to format TAR files in a particular manner to trigger a command injection attack that enabled them to remotely execute system commands with the privileges of the Email Security Gateway product." Once the threat actors gained remote access to the Barracuda ESG device, they infected it with malware families known as 'Saltwater,' 'Seaspy,' and 'Seaside' to steal email data from the devices” (BleepingComputer, 2023).

The attackers exploited CVE-2023-2868 through TAR file attachments in their emails to compromise vulnerable ESG appliances. They executed a base64 encoded reverse shell payload, which created a new session, named pipe, and interactive shell using OpenSSL. The reverse shell was added as a persistence mechanism on cron jobs, running hourly or daily. The attackers used wget commands to fetch additional payloads from their command and control (C2) servers, mainly named 'Saltwater,' 'Seaspy,' and 'Seaside.' Saltwater was a modified Barracuda SMTP daemon module with a backdoor, offering file manipulation, command execution, and proxying capabilities. Seaside, a Lua-based bsmtpd module, monitored SMTP commands for encoded instructions, decoding and forwarding them to "Whirlpool," a C-based TLS reverse shell tool. The third backdoor, Seaspy, functioned as a passive tool listening on specific ports and activated by a "magic packet.” UNC4841 ensured persistence by modifying the '/etc/init.d/rc' file to execute Seaspy after system reboots. They also employed "Sandbar" to hide Linux server processes with names starting with "Bar," concealing the activities of Seaspy. Sandbar resided in the /lib/modules directory and executed during system startup. Furthermore, UNC4841 demonstrated quick lateral movement by scanning compromised appliances for specific email messages, using targeted search terms related to organizations, individuals, or high-interest topics.

Security Officer Comments:
UNC4841 selectively extracted particular data and occasionally utilized an ESG appliance to maneuver within the victim’s network or send emails to other compromised appliances. Upton the detection of the breach by Barracuda, necessary fixes were deployed, prompting UNC4841 to alter its malicious software and employ varied techniques to maintain persistence, thus evading defenses relying on Indicators of Compromise. The hackers, then initiated a series of attacks spanning from May 22nd to May 24th, 2023. Their targets included susceptible devices belonging to government agencies and other significant organizations across a minimum of 16 countries.

Suggested Correction(s):
Mandiant recommends all impacted organizations perform an investigation and hunting activities within their networks. An investigation may include, but is not limited to the following: