Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway

Jun 15, 2023Ravie Lakshmanan

A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022.

“UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China,” Google-owned Mandiant said in a new report published today, describing the group as “aggressive and skilled.”

The flaw in question is CVE-2023-2868 (CVSS score: 9.8), which relates to a remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that arises as a result of an incomplete validation of attachments contained within incoming emails.

Barracuda addressed the problem on May 20 and 21, 2023, but the company has since urged affected customers to immediately replace the devices “regardless of patch version level.”

Now according to the incident response and threat intelligence firm, which was appointed to probe the hack, UNC4841 is said to have sent emails to victim organizations containing malicious TAR file attachments that were designed to exploit the bug as early as October 10, 2022.

These email messages contained generic lures with poor grammar and, in some cases, placeholder values, a tactic deliberately chosen to disguise the communications as spam.

The goal, it noted, was to execute a reverse shell payload on the targeted ESG devices and deliver three different malware strains – SALTWATER, SEASIDE, and SEASPY – in order to establish persistence and execute arbitrary commands, while masquerading them as legitimate Barracuda ESG modules or services.

Also deployed by the adversary is a kernel rootkit named SANDBAR that’s configured to conceal processes that begin with a specified name as well as trojanized versions of two different valid Barracuda Lua modules –

• SEASPRAY – A launcher for screening incoming email attachments with a particular filename and runs an external C-based utility dubbed WHIRLPOOL to create a TLS reverse shell
• SKIPJACK – A passive implant that listens for incoming email headers and subjects and executes the content present in “Content-ID” header field

Source code overlaps have been identified between SEASPY and a publicly available backdoor referred to as cd00r and also between SANDBAR and an open-source rootkit, suggesting that the actor repurposed existing tools to orchestrate the intrusions.

UNC4841 has all the hallmarks of a persistent actor, given its ability to swiftly alter its malware and employ additional persistence mechanisms as Barracuda initiated containment efforts after discovering the activity on May 19, 2023.

In some instances, the threat actor was observed leveraging access to a compromised ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances. Data exfiltration entailed the capture of email related data in a subset of cases.

The high frequency attacks, Mandiant said, targeted an unspecified number of private and public sector organizations located in at least 16 countries, with almost a third being government entities. 55% of the impacted organizations are located in the Americas, followed by 24% in EMEA and 22% in the Asia-Pacific region.

“As of June 10, 2023, approximately 5% of active ESG appliances worldwide have shown evidence of known indicators of compromise,” Barracuda told The Hacker News in a statement, adding it’s “providing the replacement product to impacted customers at no cost.”

“UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations,” Mandiant said, adding it expects the actors to “alter their TTPs and modify their toolkit.”