Saturday, April 13, 2024
HomeSECURITYBarracuda ESG zero-day vulnerability exploited by Chinese hackers UNC4841

Barracuda ESG zero-day vulnerability exploited by Chinese hackers UNC4841


Barracuda ESG zero-day vulnerability exploited by Chinese hackers UNC4841

The experts were impressed by the rich toolkit and the rapid adaptation of cybercriminals.

Cyber ​​Security Specialists Mandiant discovered who actively exploited the zero-day vulnerability in the Barracuda Email Security Gateway (ESG), about which became known at the end of May. According to the researchers, the Chinese hacker group UNC4841 is behind the exploitation of the 7-month-long vulnerability.

The vulnerability that the gang exploited has an ID CVE-2023-2868 and criticality 9.8 out of 10. It is associated with remote code execution in Barracuda ESG versions – and occurs due to incomplete verification of attachments in incoming emails.

Barracuda fixed the issue shortly after it was discovered, but called on affected customers to replace devices immediately “regardless of patch version level”.

According to Mandiant, UNC4841 began sending emails with malicious “.tar” attachments to victim organizations as early as October 10, 2022. The goal of the hackers was to run a reverse shell on the targeted ESG devices and deliver three different malware – SALTWATER, SEASIDE and SEASPY – to provide persistence and execute arbitrary commands disguised as legitimate Barracuda ESG modules or services.

The attacker also used a kernel rootkit called SANDBAR, which is configured to hide processes starting with a specific name, as well as two different trojanized versions of actual Lua modules from Barracuda.

Another hacker software, SEASPRAY, scanned incoming emails with a specific file name and ran an external utility called WHIRLPOOL to activate the TLS SKIPJACK reverse wrapper, a passive implant that scans incoming email headers and subjects and executes the content present in the header field ” content ID”.

The researchers also found source code matches between SEASPY and a publicly available backdoor called cd00r, as well as between SANDBAR and an open source rootkit, indicating that the actor adapted existing intrusion tools.

UNC4841 has all the hallmarks of a persistent actor, given the ability of hackers to rapidly modify their malware and use additional mechanisms to persist on victims’ systems after Barracuda began to contain the threat.

The UNC4841 attacks, according to Mandiant experts, targeted an unspecified number of private and public organizations located in at least 16 countries, with almost a third of them being government entities. 55% of the affected organizations are located in the Americas, 24% in Europe, the Middle East and Africa, and another 22% in the Asia-Pacific region.

“UNC4841 has shown itself to be quick to adapt to any changes to maintain the status of its operations,” Mandiant said.

Source link


Please enter your comment!
Please enter your name here

Most Popular