A China-linked threat actor exploited a recently disclosed vulnerability in Barracuda Email Security Gateway (ESG) appliances to compromise government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a worldwide cyber espionage campaign.
The campaign came to light in May 2023 after US-based email and network security solutions provider Barracuda Networks revealed that threat actors had been exploiting a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances for nearly eight months to backdoor devices.
Tracked as CVE-2023-2868, the flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system. The vulnerability was fixed by May 20, 2023. However, the US Federal Bureau of Investigation has recently warned that fixes for CVE-2023-2868 are ineffective and that patched appliances are still at risk of being hacked by Chinese threat actors.
According to Google-owned cybersecurity firm Mandiant, which tracks this threat cluster as UNC4841, the attackers anticipated remediation efforts and deployed additional malware to maintain presence at a small subset of high-priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance.
The additional malicious tools include the Skipjack and Depthcharge backdoors, the Foxglove and Foxtrot keyloggers, as well as a new version of the Seaspy backdoor.
“This was followed by a second, previously undisclosed wave, that began in early June 2023. In this second wave, Mandiant discovered the actor attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE,” Mandiant explained in its in-depth technical analysis. “This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841’s determination in preserving access to specific victim environments.”
The security firm noted that since the patch for Barracuda ESG appliances was released it hasn’t seen any evidence of new successful compromises using CVE-2023-2868.
“Only a limited number of ESG appliances worldwide were compromised (5% of ESG appliances), and impacted customers have been notified to replace the appliances,”the researchers said.
