Tech Support
Documentation
Login
Contact Us
Barracuda Zero-Day Flaw: Risks to Government And Military
Wajahat Raja
September 14, 2023 - TuxCare expert team
A suspected hacking organization with ties to China has recently exploited a newly found zero-day vulnerability in Barracuda Networks Email Security Gateway (ESG) devices. This Barracuda zero-day flaw has global ramifications, affecting the government, military, defense, aerospace, high-tech industry, and telecommunications industries. Let’s get into the specifics of this cybersecurity issue and its potential impacts.
The Mysterious Perpetrator: UNC4841
Mandiant, a well-known threat intelligence company, is actively watching the China-based hacking group “UNC4841.” They describe this threat actor as very adaptable and capable of changing strategies to have constant access to its targets. UNC4841 has used creative malware to enter high-priority organizations and has exploited the zero-day vulnerability in Barracuda products.
Surprisingly, government agencies make up roughly one-third of the organizations exposed by this hack. That said, the first compromises were discovered on devices in mainland China, shedding light on the possible origins of the attack.
Barracuda Zero Day Flaw: Exploiting CVE-2023-2868
The mode of operation of this cybersecurity threat to government and military is to use CVE-2023-2868 to implant malware and perform post-exploitation operations. The attack has led to the distribution of additional malware, such as SUBMARINE (also known as DEPTHCHARGE), in some cases to ensure persistence despite corrective efforts.
The observed fall in activity around Chinese New Year, followed by two surges, is a noteworthy component of this campaign. The first Barracuda zero-day flaw disclosure happened on May 23, 2023, following Barracuda’s public notification, while the second occurred in early June 2023. During the latter spike, attackers attempted to keep access by distributing additional malware families, including SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE.
SKIPJACK is a passive implant that monitors specified email headers and subjects, whereas DEPTHCHARGE is incorporated into the Barracuda SMTP (BSMTP) daemon and executes encrypted commands. FOXTROT, on the other hand, is a C++ implant launched via FOXGLOVE and geared for tasks such as keyboard capture, shell command execution, file transfer, and reverse shell configuration.
The fast deployment of DEPTHCHARGE following the Barracuda security update and patch exposure implies that UNC4841 has thorough planning and enormous resources at its disposal. This operation looks to be anything but opportunistic, highlighting the threat actor’s ability to foresee and navigate potential interruptions.
Zero Day Vulnerability Impact On Sectors: Chinese Involvement
DEPTCHARGE infected about 2.64 percent of compromised devices, affecting both US and foreign governments, as well as high-tech and information technology firms. Although not exclusive to Barracuda ESGs, FOXTROT and FOXGLOVE were employed selectively to target government-related organizations.
UNC4841 has proven to be adept at internal reconnaissance and lateral mobility within compromised situations. Notably, they attempted unauthorized access to mailboxes within organizations using Microsoft Outlook Web Access (OWA). They also set up accounts with random characters on a subset of the affected appliances, offering an alternate remote access path.
Infrastructure similarities with another cluster labeled UNC2286 highlight the link between UNC4841 and China. UNC2286 is also linked to the Chinese espionage projects FamousSparrow and GhostEmperor. In light of this military sector Barracuda security risk, the FBI has advised impacted customers to replace their ESG equipment as soon as possible due to ongoing threats.
Conclusion
Finally, UNC4841’s actions show the ever-changing arena of cyber espionage. Their agility and capacity to target particular areas highlight the complexity of modern cybersecurity threats. Organizations, particularly those in sensitive industries, must remain attentive and prioritize effective security measures to avoid critical infrastructure cybersecurity risks.
As the digital world evolves, protecting government networks from zero-day attacks and wrestling from vulnerabilities has become crucial. Addressing these concerns can help such organizations protect their intellectual property and combat emerging threats.
The sources for this piece include articles in The Hacker News and Spiceworks.
