A suspected pro-China hacker group tracked by Mandiant as UNC4841 has been linked to data theft attacks on Barracuda ESG (Email Security Gateway) appliances using a now patched zero-day vulnerability.

Beginning around October 10, 2022, threat actors began exploiting CVE-2023-2868, a zero-day remote command injection vulnerability in Barracuda’s attachment scanning module.

Seller discovered the flaw on May 19th and immediately revealed that the vulnerability was being exploited, with CISA issues an alert US federal agencies to apply security updates.

From what was made public at the time, CVE-2023-2868 was operated since October 2022 to drop previously unknown malware onto vulnerable devices and steal data.

Earlier this month, Barracuda took the unusual step of require affected customers to replace their devices for free rather than reimage with new firmware.

This unusual request led many to believe that threat actors had compromised the devices to a low level, making it impossible to ensure they were completely clean.

Mandiant told BleepingComputer that this was recommended out of caution, as Barracuda could not ensure complete malware removal.

“Due to the sophistication displayed by UNC4841 and the lack of full visibility into all compromised appliances, Barracuda chose to overwrite and not reimage the appliance from the recovery partition out of an abundance of caution,” said John Palmisano, Mandiant Incident Response Manager – Google Cloud, BleepingComputer told BleepingComputer.

“This policy ensures the integrity of all devices in situations where Barracuda is unable to ensure that the recovery partition has not been compromised by the threat actor.”

Attacks linked to pro-Chinese hackers

Today, Mandiant reveals that the threat actor responsible for this exploit is UNC4841, a hacking group known to carry out cyber espionage attacks in support of the People’s Republic of China.

Attacks begin with threat actors sending emails containing malicious “.tar” attachments (also TAR files masquerading as “.jpg” or “.dat” files) that exploit vulnerable ESG devices. When Barracuda Email Security Gateway attempts to scan the file, the attachment exploits the CVE-2023-2868 flaw to execute code remotely on the device.

“This effectively amounts to unfiltered, unfiltered user-controlled input through the $f variable executed as a system command through Perl’s qx routine. $f is a user-controlled variable that will contain the filenames of files archived in a TAR,” Mandiant’s report explains.

“As a result, UNC4841 was able to format TAR files in a particular way to trigger a command injection attack that allowed them to remotely execute system commands with Email Security Gateway product privileges.”

Once the threat actors gained remote access to the Barracuda ESG device, they infected it with malware families called “Saltwater”, “Seaspy” and “Seaside” to steal email data machines.

UNC4841 targeted specific data for exfiltration and occasionally exploited access to an ESG appliance to browse the victim’s network or send mail to other victim appliances.

When Barracuda discovered the breach and released patches, UNC4841 modified its malware and diversified its persistence mechanisms to evade IoC-based defenses.

As time passed, hackers launched a series of attacks between May 22 and May 24, 2023, targeting vulnerable devices in government agencies and other important organizations in at least 16 countries.

attack chain

The TAR file attachments on the attacker’s emails exploited CVE-2023-2868 to run a base64-encoded reverse shell payload on vulnerable ESG appliances.

The payload creates a new session, named pipe, and interactive shell, using OpenSSL to create a client connecting to a specified IP address and port, with standard output directed to the named pipe, and any error output being ignored.

The reverse shell is added to hourly or daily cron jobs as a persistence mechanism.

Then the attackers used wget commands to fetch more payloads from their C2 servers, mainly “Saltwater”, “Seaspy” and “Seaside”.

Saltwater is a Barracuda SMTP daemon module (bsmtpd) that can upload or download files, execute arbitrary commands, or offer threat actors proxy capabilities.

Seaside is a Lua-based bsmtpd module that monitors SMTP HELO/EHLO commands for the presence of encoded instructions sent from the attacker’s C2 server. When it finds any, it decodes them and passes them to “Whirlpool”, a C-based TLS reverse shell tool.

The third backdoor is Seaspy, a passive tool that sits as a PCAP filter on ports TCP/25 (SMTP) and TCP/587 and is activated by a “magic packet”.

For persistence, UNC4841 modifies the ‘/etc/init.d/rc’ file so that Seaspy runs after reboot.

Finally, there’s “Sandbar”, which threat actors have used to hide Linux server processes whose names begin with “Bar”, which masks the activities of Seaspy in particular, allowing it to run undetected.

Sandbar is added to the /lib/modules directory which hosts Linux kernel modules; therefore, it is executed at system startup.

UNC4841 performed rapid lateral movement steps and was observed searching compromised appliances for specific emails, using search terms related to specific organizations, individuals, or topics of interest.

“Across the entities selected for targeted data exfiltration, shell scripts were discovered that targeted ASEAN Ministry of Foreign Affairs (MFA) email domains and users, as well as trade offices. outside and academic research organizations in Taiwan and Hong Kong,” Mandiant said.

Analysts expect UNC4841 to continue trying to diversify its TTPs (tactics, techniques, and procedures) to evade detection, so vigilance is advised.

The recommended action is to replace compromised Barracuda ESG appliances, regardless of their patch level, and perform thorough network investigations using published indicators of compromise.