Suspected Chinese hackers have shown a distinct focus on breaching government and government-linked institutions across the globe in recent cyberattacks aimed at exploiting a Barracuda Email Security Gateway (ESG) zero-day vulnerability. These attacks have particularly targeted entities in the Americas.
A Mandiant report released today indicates that almost one-third of the compromised ESG appliances in this campaign were associated with government agencies, with a significant portion of these breaches occurring between October and December of the previous year.
"While the percentage of local government organizations affected is less than seven percent of the overall identified entities, this number rises to nearly seventeen percent when considering solely U.S.-based targets."
The primary motive behind these attacks was espionage. The threat actor, known as UNC4841, has been involved in a concerted effort to stealthily extract information from systems belonging to high-profile users in governmental and high-tech sectors.
Barracuda issued a warning to its customers on May 20, informing them of the active exploitation of the vulnerability to breach ESG appliances. The company swiftly deployed patches to all vulnerable devices remotely.
Subsequently, ten days later, the company revealed that this zero-day vulnerability had been manipulated in attacks for a minimum of seven months, stretching back to October of the previous year. During this time, the attackers introduced previously unidentified malware and utilized them to pilfer data from compromised systems.
A week after these announcements, customers were advised to urgently replace compromised appliances, even those that had been patched already. Approximately 5% of all ESG appliances were compromised, as stated by Mandiant.
The attackers employed novel malware strains, including SeaSpy and Saltwater, along with a malicious tool named SeaSide, to achieve remote access to compromised systems through reverse shell mechanisms.
CISA also provided insights into Submarine (also known as DepthCharge) and Whirlpool malware, which were deployed in the same attacks as later-stage payloads. These were used to maintain persistent control after Barracuda's advisory on May 20, targeting a small number of previously compromised devices linked to high-value targets, according to Mandiant's analysis.
"This suggests that despite the global scope of this operation, it wasn't opportunistic. UNC4841 exhibited thorough planning and sufficient resources to anticipate and counter potential disruptions that could compromise their access to target networks," stated Mandiant in their report.
"We are dealing with formidable adversaries who possess extensive resources, funding, and the expertise to effectively conduct global espionage campaigns without detection. China-linked espionage actors are refining their strategies to enhance impact, stealthiness, and effectiveness," remarked Austin Larsen, Mandiant's Senior Incident Response Consultant, to BleepingComputer.
FBI: Barracuda ESG appliances still in danger Though Mandiant and Barracuda have yet to find evidence of new ESG appliances being compromised via CVE-2023-2868 exploits post-patching, the FBI issued a warning last week suggesting that the patches were "ineffective." They noted that patched devices are still falling victim to ongoing attacks.
The U.S. federal law enforcement agency echoed Barracuda's advice, urging customers to swiftly isolate and replace compromised appliances. Furthermore, they encouraged network investigations for potential breaches and emphasized the need to revoke and renew enterprise-privileged credentials, such as Active Directory, to thwart the attackers' efforts at maintaining persistent access.
"The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit," stated the agency.
"Barracuda's security products are employed by over 200,000 organizations worldwide, encompassing government bodies and prominent corporations."
Copyright © 2023 limitstrike.com - All Rights Reserved.
Powered by GoDaddy
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.