Cybersecurity firm and Google Cloud subsidiary Mandiant have Announce Chinese-backed spies are suspected of being behind the exploitation of a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG).
Researchers have traced the attack on a China-linked actor who appears to have been conducting espionage “across multiple regions and sectors,” including the U.S. government.
The advisory details how an attacker codenamed UNC4841 sent emails containing malicious files to targeted organizations that would exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG devices.
Chinese spies may be behind Barracuda ESG attack
The CVE description details the vulnerability affecting versions 5.1.3.001-9.2.0.006:
“A remote attacker can specifically format [.tar] Change the filename in a specific way that will cause the remote execution of system commands via Perl’s qx operator with the privileges of the email security gateway product. “
According to security personnel, the public and private sectors were targeted, with more than half (55%) of them in the Americas. The remaining attacks came from EMEA and Asia-Pacific regions in almost equal numbers, with attacks clearly focused on “issues that are high policy priorities for the United States.” [People’s Republic of China]”
The BNSF-36456 patch was automatically applied to all devices, but the attack may have remained undetected from October 2022 to May 2023—a period spanning more than seven months.
Mandiant, which raised the concerns, said in a statement that it “applauds Barracuda for its decisive action, transparency, and information sharing following UNC4841’s exploitation of CVE-2023-2868.”
Still, the true identity of UNC4841 has yet to be confirmed, and the group remains at large, possibly conducting or developing other attacks and exploits elsewhere.