A suspected Chinese hacking group (tracked as UNC4841) continues to target compromised Barracuda appliances in government, high tech, and information technology sectors. The group originally targeted organizations worldwide by exploiting a zero-day vulnerability discovered in Barracuda Email Security Gateway (ESG). Mandiant initially detailed the 8-month-long espionage campaign in a blog post on June 15, 2023. The vulnerability, reported as CVE-2023-2868, allows for remote command execution on the target appliance while processing .tar files containing specially crafted file names.
According to Mandiant, nearly a third of the identified organizations impacted by the campaign were government agencies, with the majority of the attacks occurring between October and December 2022. Attackers breached approximately 5% of all ESG appliances in the attacks, says Mandiant. The goal of the campaign appeared to be espionage-related.
This suggests targeted exfiltration was prioritized for specific high value geopolitical and economic users. A distinct prioritization of government agencies alongside high tech and information technology targets was also observed […].
Following Barracuda’s announcement and remediation efforts on May 20, 2023, the threat actors began deploying new post-remediation malware starting on May 22 in an attempt to retain persistent access. The malware targets appeared to be “weighted towards government (national), high tech, and information technology sectors,” suggesting a “prioritization towards conventional espionage targets.” Targets appear limited to previously compromised appliances. Neither Barracuda nor Mandiant have identified any newly compromised ESG appliances following the release of the security patch on May 20, 2023.