FBI: Who was going around hijacking Barracuda email boxes? China, probably

The FBI has warned owners of Barracuda Email Security Gateway (ESG) appliances the devices are likely undergoing attack by snoops linked to China, and removing the machines from service remains the safest course of action.

The attackers are exploiting CVE-2023-2868, a critical remote command injection vulnerability that was discovered in May 2023, and was exploited as far back as October 2022.

After Barracuda spotted the bug on May 19, it pushed a patch the next day. In June, the supplier recommended replacing the appliances, even if they had been patched.

On Wednesday, the FBI pushed that recommendation in a flash alert [PDF] that stated it "strongly advises all affected ESG appliances be isolated and replaced immediately."

The bureau added it had "independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected [People’s Republic of China] PRC cyber actors exploiting this vulnerability."

The intruders have already enjoyed plenty of success.

"Based on the FBI's investigation to date, the cyber actors exploited this vulnerability in a significant number of ESG appliances and injected multiple malicious payloads that enabled persistent access, email scanning, credential harvesting, and data exfiltration," the agents said.

The espionage campaign involved phishing emails containing malicious attachments. Originally the files had .tar extensions, but later emails included .jpg or .dat files, the FBI noted. These malicious attachments, when scanned by the Barracuda appliance, exploited the CVE-2023-2868 security bug, and initiated communications with an attacker-controlled server, and allowed the suspected PRC-sponsored crew to deploy malware to targeted devices and snoop around for data to steal.

In some cases, the intruders used the infected ESG appliance as an entry point to victim's networks. On other occasions the attackers used the Barracuda boxes to send emails to other appliances to hop into other networks, the FBI explained.

We're told the spies also used counter-forensic techniques to cover their tracks, making it harder to find indicators of compromise.

The FBI is now confident enough that it can identify those indicators that its alert lists half a dozen IP addresses not previously mentioned by other investigators.

• Chinese spies blamed for data-harvesting raids on Barracuda email gateways
• Barracuda tells its ESG owners to 'immediately' junk buggy kit
• Barracuda Email Security Gateways bitten by data thieves
• Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild

If the China scenario sounds familiar, it's because two months ago Mandiant attributed the ESG attacks to a Middle-Kingdom-based crew it tracks as UNC4841.

The Barracuda infections show a "major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations," Mandiant CEO Kevin Mandia told The Register.

"Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868," he added.

The FBI's analysis also highlights the measures UNC4841 took to maintain access to victims' networks — either before Barracuda issued a patch, or before organizations had a chance to implement the fix, Mandiant senior incident response manager Austin Larsen told The Register.

Mandiant worked with Barracuda to investigate the exploitation. Since Mandiant, now owned by Google Cloud, published its June report, Larsen said no successful exploitation of CVE-2023-2868 has been identified.

"But once initially compromised, we have seen UNC4841 deploy novel malware following the remediation of CVE-2023-2868 that was designed to maintain a presence at a small subset of high priority targets," he said.

Which is why the FBI has joined Barracuda in recommending the ESG appliances be either isolated or replaced.

Which means the good news is you don’t have to patch – just rapidly fix a gap in your email defenses. ®