A zero-day vulnerability in Barracuda Email Security Gateway (ESG) discovered in late May was exploited in a Chinese spy campaign starting in October 2022, according to Beggar. The Google-owned threat intelligence firm revealed in a new report yesterday that new threat actor UNC4841 started sending phishing emails as early as October 10 last year. These malicious emails contained attachments designed to exploit the Barracuda bug CVE-2023-2868 to gain initial access to vulnerable devices, he added. Learn more about Chinese APT activity: Cyber ​​warfare escalates amid tensions between China and Taiwan. Once a foothold was established, the group used Saltwater, Seaside, and Seaspray malware to maintain a presence on the devices by masquerading as legitimate Barracuda ESG modules or services. “After the initial compromise, Mandiant and Barracuda observed that UNC4841 aggressively targeted specific data of interest for exfiltration and, in some cases, leveraged access to an ESG Appliance to perform lateral movement in the victim network or to send mail to other victim appliances,” he continued. “Mandiant also observed that the UNC4841 deployed additional tools to maintain its presence on ESG appliances.” Barracuda discovered the campaign on May 19 and released patches to contain and remediate the threat two days later. However, the threat group changed malware and deployed new persistence mechanisms to maintain access, Mandiant explained. Between May 22 and May 24, UNC4841 targeted victims in 16 countries with “high frequency” operations, prompting Barracuda to take the unusual step of urging customers to isolate and replace their devices, regardless of the status of their fix. The security vendor was praised for their quick response and sharing of product-specific expertise that enabled a full investigation. However, the threat of UNC4841 persists. “UNC4841 has been very responsive to defensive efforts and is actively modifying TTPs to maintain their operations. Mandiant urges affected Barracuda customers to continue to research this actor and investigate affected networks,” Mandiant concluded. “We expect UNC4841 to continue to modify its TTPs and modify its toolkit, especially as network defenders continue to take action against this adversary and their activity is further exposed by the community. infosec.” The threat actor is believed to be a spy actor working to support the Chinese government. A third of its victims were government agencies, although individual targets included well-known academics in Taiwan and Hong Kong, and Asian and European government officials in Southeast Asia.

