FBI: Who was going around hijacking Barracuda email boxes? China, probably

Trending 3 weeks ago

The FBI has warned owners of Barracuda Email Security Gateway (ESG) appliances nan devices are apt undergoing onslaught by snoops linked to China, and removing nan machines from work remains nan safest people of action.

The attackers are exploiting CVE-2023-2868, a captious distant bid injection vulnerability that was discovered successful May 2023, and was exploited arsenic acold backmost arsenic October 2022.

After Barracuda spotted nan bug connected May 19, it pushed a spot nan adjacent day. In June, nan supplier recommended replacing nan appliances, moreover if they had been patched.

On Wednesday, nan FBI pushed that proposal successful a flash alert [PDF] that stated it "strongly advises each affected ESG appliances beryllium isolated and replaced immediately."

The bureau added it had "independently verified that each exploited ESG appliances, moreover those pinch patches pushed retired by Barracuda, stay astatine consequence for continued machine web discuss from suspected [People’s Republic of China] PRC cyber actors exploiting this vulnerability."

The intruders person already enjoyed plentifulness of success.

"Based connected nan FBI's investigation to date, nan cyber actors exploited this vulnerability successful a important number of ESG appliances and injected aggregate malicious payloads that enabled persistent access, email scanning, credential harvesting, and information exfiltration," nan agents said.

The espionage run progressive phishing emails containing malicious attachments. Originally nan files had .tar extensions, but later emails included .jpg aliases .dat files, nan FBI noted. These malicious attachments, erstwhile scanned by nan Barracuda appliance, exploited nan CVE-2023-2868 information bug, and initiated communications pinch an attacker-controlled server, and allowed nan suspected PRC-sponsored unit to deploy malware to targeted devices and snoop astir for information to steal.

In immoderate cases, nan intruders utilized nan infected ESG appliance arsenic an introduction constituent to victim's networks. On different occasions nan attackers utilized nan Barracuda boxes to nonstop emails to different appliances to hop into different networks, nan FBI explained.

We're told nan spies besides utilized counter-forensic techniques to screen their tracks, making it harder to find indicators of compromise.

The FBI is now assured capable that it tin place those indicators that its alert lists half a twelve IP addresses not antecedently mentioned by different investigators.

  • Chinese spies blamed for data-harvesting raids connected Barracuda email gateways
  • Barracuda tells its ESG owners to 'immediately' junk buggy kit
  • Barracuda Email Security Gateways bitten by information thieves
  • Don't conscionable spot your Citrix gear, cheque for intrusion: Two bugs exploited successful wild

If nan China script sounds familiar, it's because 2 months agone Mandiant attributed nan ESG attacks to a Middle-Kingdom-based unit it tracks arsenic UNC4841.

The Barracuda infections show a "major displacement successful tradecraft from China-nexus threat actors, particularly arsenic they go much selective successful their follow-on espionage operations," Mandiant CEO Kevin Mandia told The Register.

"Since our initial reporting successful June, UNC4841 has been deploying caller and caller malware to a mini subset of precocious privilege targets pursuing nan remediation of CVE-2023-2868," he added.

The FBI's study besides highlights nan measures UNC4841 took to support entree to victims' networks — either earlier Barracuda issued a patch, aliases earlier organizations had a chance to instrumentality nan fix, Mandiant elder incident consequence head Austin Larsen told The Register.

Mandiant worked pinch Barracuda to analyse nan exploitation. Since Mandiant, now owned by Google Cloud, published its June report, Larsen said nary successful exploitation of CVE-2023-2868 has been identified.

"But erstwhile initially compromised, we person seen UNC4841 deploy caller malware pursuing nan remediation of CVE-2023-2868 that was designed to support a beingness astatine a mini subset of precocious privilege targets," he said.

Which is why nan FBI has joined Barracuda successful recommending nan ESG appliances beryllium either isolated aliases replaced.

Which intends nan bully news is you don’t person to spot – conscionable quickly hole a spread successful your email defenses. ®