China behind attacks on Barracuda email gateways, Mandiant

clock • 3 min read
China behind attacks on Barracuda email gateways, Mandiant

Mandiant ‘assesses with high confidence' that state-backed Chinese hackers carried out attacks on customers of Barracuda's Email Security Gateway

Hackers working for China's government are the likely culprits behind the recent cyberattack campaign targeting customers who use Barracuda's Email Security Gateway, according to prominent incident response firm Mandiant.

The attacks, which have leveraged a critical vulnerability in the on-premises appliances that has now been patched, last week prompted the unusual recommendation from Barracuda that affected customers should actually replace their Email Security Gateway devices.

Mandiant, which is owned by Google Cloud, has been hired by Barracuda to investigate the incident.

"Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors," Mandiant said in a post on Thursday.

"Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China."

In its own post Thursday, Barracuda pointed to Mandiant's attribution of the threat actor to the Chinese government, and said that the attackers "conducted targeted information gathering activity from a subset of organisations in support of the People's Republic of China."

Barracuda Networks has said that the vulnerability was discovered 19th May, and the company deployed a patch "to all ESG appliances worldwide" the following day. A second patch was deployed 21st May to all Email Security Gateway appliances.

"Between May 22, 2023 and May 24, 2023, UNC4841 countered with high frequency operations targeting a number of victims located in at least 16 different countries," Mandiant said in its post.

"Overall, Mandiant identified that this campaign has impacted organisations across the public and private sectors worldwide, with almost a third being government agencies."

Along with replacing compromised ESG appliances, "Mandiant recommends further investigation and hunting within impacted networks, as the identified threat actor has demonstrated a commitment to maintaining persistence for continued operations and has shown an ability to move laterally from the ESG appliance," the company said.

Mandiant noted that its investigation found that attackers deployed three types of malware—Saltwater, SeaSpy and SeaSide—to establish persistence in affected systems and maintain the persistence. The code families "attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware families detailed for the first time in this blog post," Mandiant said.

"Post initial compromise, Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances," the company said in its post.

California-based Barracuda initially disclosed the breach on 24th May. Further investigation from the company and Mandiant uncovered evidence that the vulnerability had been exploited as far back as October 2022, the company said in an updated disclosure on 1st June.

Barracuda's Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.

This article was first published on CRN.

You may also like
Dutch chipmaker Nexperia falls victim to cyberattack


Hackers posted dozens of confidential documents on dark web

clock 15 April 2024 • 2 min read
Multiple China-linked groups attacking Ivanti vulnerabilities

Threats and Risks

Patches have been made available by Ivanti

clock 08 April 2024 • 2 min read
Asian Tech Roundup: South Korea's fusion record


Plus India bans dark patterns, Malaysia gains from the chip wars

clock 05 April 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Threats and Risks

CISA issues emergency order on Microsoft breach by Russian hackers

CISA issues emergency order on Microsoft breach by Russian hackers

Affected bodies must take immediate action, agency says

Kyle Alspach
clock 12 April 2024 • 2 min read
Fortinet addresses critical vulnerability in FortiClientLinux

Fortinet addresses critical vulnerability in FortiClientLinux

FortiOS, FortiProxy, FortiClientMac and FortiSandbox also patched

clock 12 April 2024 • 3 min read
UK business falling short on cybersecurity warns government report

UK business falling short on cybersecurity warns government report

A staggering 78% of businesses lack a formal incident response plan

clock 10 April 2024 • 3 min read