The FBI has released a warning that services provided by IT vendor Barracuda Networks remain at risk of being attacked by cybercriminals working for the People’s Republic of China, despite patches being released by the company in May. Barracuda boasts high-profile clients such as Kraft Heinz and NHS Scotland.
The exploit, tracked as CVE-2023-2868, is a vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances. The FBI flash alert urges the immediate removal of such appliances from any customer network.
The exploit has been attacked in the wild since as early as October 2022, according to a report by security company Mandiant, which was only called in to assist in the investigation of the Barracuda ESG attacks in May of this year. The FBI described the vulnerability as a ‘zero day,’ a term referring to a bug with no patch and one that is, therefore, highly prized by cybercriminals.
Mandiant explained at the time that it had “identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to use as a vector for espionage.” As such, any Barracuda client using the ESG appliances may be spied upon by China-based cybercriminals, who are suspected by the FBI to be working for the Chinese government.
Barracuda Networks claims its services are used by over 200,000 organisations across the globe, including companies like Mitsubishi, Samsung, Kraft Heinz and Delta Airlines. UK clients include public sector customers like NHS Scotland as well as elements of critical national infrastructure, such as the independent oil and gas company the Parkmead Group.
Patches for the vulnerability were released by Barracuda Networks on 19 and 23 May. However, criminals worked around them to continue to intrude into the victim company’s network. On 31 May, Barracuda advised its customers to isolate and replace impacted ESG products, regardless of patch level.
Yesterday, the FBI echoed this warning, saying that it “continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit. Barracuda customers should remove all ESG appliances immediately.”
How does the attack work?
According to the FBI, China-based cybercriminals have exploited a significant number of ESG appliances and injected multiple malicious payloads, including Saltwater and Seaspy malware, that enabled persistent access, email scanning, credential harvesting, and data exfiltration.
“In many cases, the criminals obfuscated their actions with counter-forensic techniques, making detection of compromise difficult through only scanning the appliance itself for indicators of compromise,” reads the FBI report. “As a result, it is imperative that networks scan various network logs for connections to any of the listed indicators.”
After the suspected government-backed Chinese cybercriminals compromised the device, they were observed dropping various malicious payloads into the vulnerable machines and aggressively targeting specific data for exfiltration. In some cases, the hackers used initial access to the ESG appliance as an entry point to the rest of the victim’s network or sent emails to other victim appliances. The cyber actors used additional tools to maintain long-term, persistent access to the ESG appliances, the FBI added.
This week, another zero-day vulnerability was uncovered by security company Group IB, in the popular compression tool WinRar. The vulnerability, tracked as CVE-2023-38831 has been exploited by varying cybercriminals since April 2023. After infecting devices, criminals will withdraw money from broker accounts. The total sum of financial losses is as yet unknown. The tool has over 500 million customers.