So-called China-related threat actors UNC4841 Believed to be related to the exploitation of a zero-day vulnerability recently patched in Barracuda Email Security Gateway (ESG) appliances since October 2022.
“UNC4841 is the espionage behind this widespread campaign in support of the People’s Republic of China,” Google-owned Mandiant said in a new report released today, calling the group “aggressive and skilled. ‘ said.
The flaw in question is CVE-2023-2868 (CVSS score: 9.8), a remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that occurs as a result of incomplete validation of attachments contained in incoming emails. Related to
Barracuda addressed the issue on May 20 and 21, 2023, after which the company urged affected customers to immediately replace their devices “regardless of patch version level.”
According to the incident response and threat intelligence firm tasked with investigating the hack, UNC4841, as of October 10, 2022, sent emails containing malicious TAR file attachments designed to exploit the bug. It is said to have been sent to the victim organization.
These email messages contain common temptations of poor grammar and, in some cases, placeholder values, a deliberately chosen tactic to disguise the communication as spam. was
According to the report, its purpose is to run a reverse shell payload on the targeted ESG device to establish persistence and execute arbitrary commands while disguising itself as a legitimate Barracuda ESG module using SALTWATER, SEASIDE, It was to deliver three different malware strains of SEASPY. Or service.
Also deployed by the attackers are processes starting with the specified name and a kernel root named SANDBAR configured to hide trojanized versions of two different valid Barracuda Lua modules. It’s a kit.
- sea spray – Launcher for screening incoming email attachments with a specific filename. Run an external C-based utility called WHIRLPOOL to create a TLS reverse shell.
- skipjack – Passive implant that listens to incoming email headers and subjects and executes the content found in the “Content-ID” header field
Source code duplication was also observed between SEASPY and a publicly available backdoor called cd00r, and between SANDBAR and an open-source rootkit, where attackers reused existing tools to coordinate their intrusions. is suggested.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
UNC4841 began containment efforts after Barracuda discovered its activity on May 19, 2023, making it an unlikely persistent threat given its ability to rapidly modify its malware and employ additional persistence mechanisms. has all the features of
In some cases, we have observed attackers leveraging access to compromised ESG appliances to perform lateral movement into victim networks or to send emails to other victim appliances. Data exfiltration required the capture of email-related data in some cases.
Mandiant said the high-frequency attacks targeted an unspecified number of private and public sector organizations in at least 16 countries, nearly a third of which were government agencies. His 55% of affected organizations are in the Americas, followed by 24% in his EMEA and 22% in the Asia Pacific region.
“UNC4841 has been shown to be highly sensitive to defensive activity and is actively changing its TTP to maintain operations,” Mandiant said, adding that attackers “changed their TTPs.” , he added that he expects to change the toolkit.
