Image: Andras Vas (unsplash)
The Federal Bureau of Investigation has asserted that the solutions provided for the Barracuda Email Security Gateway (ESG) vulnerability haven’t been successful. Consequently, they recommend organizations to discontinue using all ESG appliances without delay.
This vulnerability, affecting Barracuda ESG versions from 5.1.3.001 up to 9.2.0.006, identified as CVE-2023-2868, began its zero-day exploitation phase in October 2022 and is still an attractive target for attacks. Barracuda made the solutions available for this issue by the end of May 2023.
Mandiant reported in June that the attacks on CVE-2023-2868 were linked to a state-sponsored cyberespionage group from Asia, identified as UNC4841. By July, CISA had already disseminated multiple reports analyzing the malware used in these attacks.
The FBI has since alerted the public that this flaw remains an active target, with even patched ESG appliances still being vulnerable to potential breaches from these cyber adversaries.
The FBI emphasizes the necessity to isolate and replace any impacted ESG appliances. They also urge a comprehensive network scan for any signs of a breach.
This vulnerability affects Barracuda ESG’s email inspection feature, enabling attackers to exploit the system through specially designed TAR file attachments, which initiate a command execution within the appliance.
The attackers, through the various cyber onslaughts observed, introduced multiple malware strains on the compromised ESG devices. This facilitated their illegal activities, from email scans and data theft to securing prolonged unauthorized access.
In specific instances, adversaries utilized the compromised ESG for infiltrating further into the victim’s system or to distribute harmful emails to other devices.
Highlighting the inefficacy of Barracuda’s fixes for this vulnerability, the FBI has observed continued breaches and believes the affected ESG devices remain compromised and susceptible.
The FBI’s advice extends beyond just inspecting the appliance for potential signs of an intrusion. They advocate for scrutinizing outbound connections, auditing email records, updating credentials, revising and revalidating related certificates, checking network logs, and monitoring the entire system for any unusual activities.
Kevin Mandia, Mandiant’s CEO, has verified that UNC4841 has altered their strategy post their first report on this matter.
Post their initial update in June, UNC4841 has been consistently introducing distinctive malware to a select group of critical targets after addressing CVE-2023-2868. Mandia pointed out the group’s proficiency and adaptability, emphasizing their extensive preparedness and specialized tools, which facilitate their international espionage endeavors, spanning both public and private sectors globally.
Mandia further commented on the significant change in methods from these particular threat actors, noting their increasing selectiveness in subsequent espionage campaigns.