Dive Brief:
- Hackers affiliated with the People’s Republic of China are still attempting to exploit a zero-day vulnerability in Barracuda Network’s Email Security Gateway appliances, the FBI said in an alert issued Wednesday.
- Hackers can still exploit the patches for the vulnerability, CVE-2023-2868, which are ineffective, the FBI said. All affected appliances should be disconnected from the internet and replaced.
- The PRC-linked hackers have exploited the vulnerability to insert malicious payloads onto ESG devices and conduct multiple types of attacks, obtaining persistent access, scanning email, harvesting credentials and exfiltrating stored data.
Dive Insight:
The vulnerability is a remote command injection vulnerability that allows attackers to conduct unauthorized commands with the privileges of administrator on the devices, according to the FBI.
The hackers have crafted TAR file attachments and sent emails using .tar extensions as well as .jpg or .dat. The hackers have also employed counter-forensic techniques to hide their actions.
In June, Barracuda urged customers to replace the compromised devices, as the vulnerability had been actively exploited since October. Repeated patches were not able to protect against the continued threat activity.
Barracuda has been working with Mandiant to respond to the attacks, and has not found any evidence of successful attacks after the release of the May 20 patch, according to Austin Larsen, senior incident response manager at Mandiant, a unit of Google Cloud.
“However, the threat actor deployed additional malware to devices that were already compromised and conducted additional post-exploitation activities,” Larsen said via email.
Mandiant in June released research showing the hackers were involved in a broad, sophisticated espionage campaign.
A limited number of victims who were previously impacted by the vulnerability failed to follow Barracuda’s guidance to replace their appliances and still face the risk of attack, according to Mandiant.
The threat actor, which Mandiant identifies as UNC4841, “has shown a special interest in a subset of priority victims,” Larsen said.
The hackers have deployed additional malware, including a malware called Depthcharge, to maintain persistence in response to the remediation efforts, Larsen said.
The Cybersecurity and Infrastructure Security Agency earlier this month issued additional analysis of malware associated with the Barracuda attacks.
The company on Wednesday said its guidance to customers remains consistent. Organizations that received a notification or have been contacted by a technical support representative from Barracuda should contact the vendor to replace the appliance.
The FBI is urging appliance customers to review email logs, revoke and reissue credentials used on the devices and review network logs for signs of exfiltration and lateral movement.
Source link