Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors

On May 23, IT security company Barracuda Networks announced that the threat actors had exploited a zero-day vulnerability in the Barracuda Email Security Gateway (ESG), which filters email traffic to defend organizations from malicious messages. The company engaged cyber threat intelligence company Mandiant to help in its investigation. Mandiant has linked the zero-day vulnerability (CVE-2023-2868) to an espionage actor working in support of the People’s Republic of China with “high confidence,” according to a company blog.

How did the threat actor (UNC4841) exploit the zero-day vulnerability? How can impacted organizations respond? And how can enterprises prepare for escalating state-sponsored cyber threats?

The Zero-Day Vulnerability

UNC4841 began its campaign as early as Oct. 10, 2022. The threat actor sent emails with a malicious attachment designed to exploit the zero-day vulnerability. UNC4841 leveraged three different code families (SALTWATER, SEASPY, and SEASIDE), which imitated legitimate Barracuda ESG services or modules, according to the Mandiant blog post.

The campaign targeted many different organizations, with government agencies accounting for approximately one-third of the victims. UNC4841 used the compromised ESGs to target individuals in the Association of Southeast Asian Nations (ASEAN) Ministry of Foreign Affairs and foreign trade offices and academic research organizations in Taiwan and Hong Kong, according to Mandiant.

The threat actor targeted data for exfiltration. UNC4841 also deployed additional malware and conducted lateral movement in some cases.

How did Mandiant determine that the threat actor is likely state-backed espionage from China? “UNC4841 was collecting intelligence on policies and people of strategic interest to the PRC. In terms of targeting, this resembles many of the broad efforts we’ve seen before,” Austin Larsen, Mandiant senior incident response consultant, Google Cloud, tells InformationWeek. He also noted infrastructure and malware code overlaps that support Mandiant’s conclusion. 

Jim Broome, president and CTO of security services company DirectDefense, points out that security solution vendors have been affected by the surge of cyber threats following the pandemic. “Vendors like Pulse Secure, Fortinet, and Palo Alto have all faced significant vulnerabilities being discovered in their products,” he says. “What's more concerning is that some of these vulnerabilities have been actively exploited by ransomware threat actors as entry points into their targets' networks.”

Barracuda’s Response

Barracuda began releasing containment and remediation patches on May 21, and UNC4841 shifted its strategy in response. It changed its malware and leveraged new mechanisms to retain access. Barracuda and Mandiant have released detailed recommendations for companies impacted by the zero-day vulnerability. They have advised impacted Barracuda customers to replace their compromised ESG appliances and to perform their own internal investigations.

“Mandiant has published a compilation of IOCs [indicators of compromise] observed to date along with a series of YARA and SNORT signatures to detect known malware along with the network traffic associated with its communications,” says Larsen.

Tony Pietrocola, president and cofounder of autonomous security operations center AgileBlue, stresses the importance of acting quickly. “Every organization needs to determine where they could have been and perhaps still be compromised,” he says. “They should perform a strong pen test, vulnerability assessment, and response initiative to determine where they could still be impacted.”

If an organization does determine it has been compromised, it needs to follow its incident response plan. “Additionally, it’s critical to communicate with their supply chain, customers, vendors, and perhaps law enforcement,” Pietrocola adds.

The Future of Cyber Espionage

The Cybersecurity and Infrastructure Security Agency (CISA) has made it clear that cyber threats from China are a significant risk to critical infrastructure in the United States. Jen Easterly, the director of CISA, has warned of China’s cyber espionage capabilities and the threat they pose, CNBC reports.

During a June 16 press conference, Wang Wenbin, China’s foreign ministry spokesperson, addressed Mandiant’s report. “The cybersecurity firm that you mentioned has repeatedly sold disinformation on so-called Chinese hacking attacks. The stories are far-fetched and unprofessional,” he said. “By making up reports about so-called foreign cyberattacks, US cybersecurity vendors have become accomplices in the US government’s smearing campaigns against other countries.” 

But the US government’s stance is clear. The Annual Threat Assessment of the US Intelligence Community from the Office of the Director of National Intelligence describes China as likely “the broadest, most active, and persistent cyber espionage threat to US government and private-sector networks.”

What can enterprises learn from the Barracuda zero-vulnerability, and how can they prepare for continued cyber threats?

Recognition of these threats and the likelihood of being impacted at some point is vital. “You can build a wall for defending against everyday amateurs. But if a nation-state has infinite time to examine the wall, they will find a way through it,” says Ian Schmertzler, president and CFO of zero-trust network access company Dispel.

Pietrocola also notes that stopping an attack from a state-sponsored actor armed with talent and a big budget may not be possible. Knowing that, enterprises can focus on developing a layered defense with the capabilities to detect and respond to threats.

“Regular vulnerability assessments, penetration testing, and security audits help identify potential weaknesses or vulnerabilities that could be exploited by attackers. Remediation of these discovered vulnerabilities should be prioritized and completed routinely,” Broome advises.

Regular cybersecurity awareness training and tabletop exercises can help companies to prepare proactively.

Threat actors, state-sponsored and otherwise, will continue to look for opportunities like the Barracuda zero-day vulnerability. It is up to the potential targets to determine how they will prepare and respond.

“The challenge enterprises face is typically reaching group consensus: ‘Do we really need to be following the standards?’ ‘Couldn’t we put this off for a year or until a third party tells us we have to do something?’” says Schmertzler. “Events like this make change possible.”

What to Read Next:

Former Uber CSO Sullivan on Engaging the Security Community

Why Defending Modern Cloud-Based Enterprises Must Start With ZTA

Report Calls Out ‘Inadequate’ Approach to Protecting US Infrastructure