Cybersecurity firm and Google Cloud subsidiary, Mandiant, has announced suspicions that Chinese-backed spies could have been behind the exploitation of a zero-day vulnerability in the Barracuda Email Security Gateway (ESG).
Researchers have tracked attacks to a China-nexus actor who appears to have been conducting espionage “spanning a multitude of regions and sectors,” including the US government.
The announcement details how the attacker, codenamed UNC4841, sent emails containing malicious files to target organizations that would exploit CVE-2023-2868 in order to gain initial access to vulnerable Barracuda ESG appliances.
Chinese spies could be behind the Barracuda ESG attack
The CVE description details the vulnerability that affected versions 5.1.3.001-9.2.0.006:
“A remote attacker can specifically format [.tar] file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.”
According to the security workers, public and private sectors were targeted, with more than half (55%) being in the Americas. The remaining came in almost equal parts from the EMEA and APAC regions, with attacks showing a clear focus “on issues that are high policy priorities for the [People’s Republic of China].”
The BNSF-36456 patch was automatically applied to all appliances, however attacks could have been going on undetected from October 2022 until May 2023 – a period spanning more than seven months.
Mandiant, who was responsible for raising the concern, said in a statement that it “commends Barracuda for their decisive actions, transparency, and information sharing following the exploitation of CVE-2023-2868 by UNC4841.”
Nonetheless, the true identity of UNC4841 remains unconfirmed, with the group still at large and likely operating or developing other attacks and exploiting vulnerabilities elsewhere.