China-linked group targeted government entities via Baraccuda flaw

US and foreign government entities compromised, says Mandiant

China-linked group targeted government entities via Baraccuda flaw

Image:
China-linked group targeted government entities via Baraccuda flaw

Researchers at security vendor Mandiant disclosed further details on Tuesday on the China-linked cyberattack campaign that exploited Barracuda's Email Security Gateway, saying that government agencies were "disproportionately" targeted, with a particular focus on the US.

In North America overall "there were numerous state, provincial, county, tribal, city and town offices that were targeted in this campaign,' Mandiant researchers said.

The attacks, initially disclosed by Barracuda in late May, leveraged a critical vulnerability in Barracuda's Email Security Gateway (ESG) on-premises appliances. Further investigation from the company and Mandiant found that the vulnerability had been exploited as far back as October 2022.

Nearly one-third of the impacted organisations in the ESG attacks were government agencies, said researchers at Mandiant, which was hired by Barracuda to investigate the incident. Mandiant is owned by Google Cloud.

Mandiant has attributed the attacks to a group it tracks as UNC4841, which is believed to work in support of China's government.

Victims "included US and foreign government entities," the researchers said in a post, although they did not identify specific US agencies that were impacted.

"Government agencies worldwide appear to have been disproportionately targeted," they wrote.

In North America overall, "there were numerous state, provincial, county, tribal, city and town offices that were targeted in this campaign," Mandiant researchers said. "These organisations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns."

While local governments comprised less than 7% of impacted organisations overall, "this statistic increases to nearly 17% when compared to US-based targeting alone," the researchers wrote. "In some instances, targeted entities had populations below 10,000 individuals."

Barracuda's Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.

"Mandiant and Barracuda have not identified any newly compromised ESG appliances post release of a security patch on May 20, 2023, which remediated the zero-day ESG vulnerability (CVE-2023-2868)," Barracuda said in a statement.

"Mandiant assesses a limited number of previously impacted victims that have not followed Barracuda's guidance to replace their impacted appliances may still face risk associated with this."

Barracuda added that it "continues to recommend that impacted customers replace their compromised appliance."

"Only a limited number of ESG appliances worldwide were compromised and impacted customers have been notified to replace the appliances," the company said, noting that it's providing the replacement devices for free to impacted customers.

This article first appeared on CRN.