Suspected Chinese communications threat actor dubbed UNC4841 has been linked to the exploit of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) equipment since October 2022.
“UNC4841 is the espionage actor behind this widespread campaign in support of the People’s Republic of China,” Google’s Mandiant. said in a new report published today, described the group as “aggressive and skilled”.
The flaw in question is CVE-2023-2868 (CVSS score: 9.8), which is related to remote code injection affecting versions 5.1.3.001 to 9.2.0.006 which appeared as a result of incomplete validation of attachments contained in incoming emails.
Barracuda addressed the issue on May 20 and 21, 2023, but the company has since urged affected customers to replace devices immediately “regardless of patch version level”.
Now according to the threat intelligence and incident response firm, which was appointed to investigate the hack, UNC4841 is said to have sent an email to the victim organization containing a malicious TAR file attachment designed to exploit the bug as early as October 10, 2022.
These email messages contain general bait with poor grammar and, in some cases, placeholder values, a tactic that was deliberately chosen to disguise communications as spam.
The goal, it was noted, was to execute a reverse shell payload on the targeted ESG device and deliver three different types of malware – SALTWATER, SEASIDE, and SEASPY – to build persistence and execute arbitrary commands, while disguising it as a legitimate Barracuda ESG module or service. .
Also used by the adversary is a kernel rootkit named SANDBAR which is configured to hide processes starting with a certain name as well as trojan versions of two different valid Barracuda Lua modules –
- SEASPRAY – Launcher for filtering incoming e-mail attachments with specific filenames and running an external C-based utility dubbed WHIRLPOOL to create TLS fallback shells
- SKIP JACKS – A passive implant that listens for incoming email headers and subjects and executes the content contained in the “Content-ID” header field
Source code overlap has been identified between SEASPY and publicly available backdoors referred to as cd00r and also between SANDBAR and an open source rootkitsindicates that the actor reuses existing tools to manage intrusions.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
UNC4841 has all the hallmarks of a persistent actor, given its ability to quickly change its malware and apply additional persistence mechanisms when Barracuda initiated containment efforts after discovering the activity on May 19, 2023.
In some cases, threat actors were observed leveraging access to compromised ESG devices to perform lateral moves to the victim’s network, or to send email to other victim devices. Data omission requires retrieving email-related data in a subset of cases.
The high-frequency attacks, Mandiant said, targeted an unspecified number of private and public sector organizations located in at least 16 countries, with nearly a third being government entities. 55% of affected organizations are located in the Americas, followed by 24% in EMEA and 22% in the Asia-Pacific region.
“UNC4841 has proven to be highly responsive to defensive efforts and actively modifies the TTP to sustain their operations,” Mandiant said, adding they expect actors to “change their TTP and modify their devices.”