cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

China-based threat actor likely behind Barracuda ESG exploit

Barracuda Networks has released an update regarding the vulnerability affecting one of its email security gateway (ESG) appliances.

user icon David Hollingworth
Fri, 16 Jun 2023
China-based threat actor likely behind Barracuda ESG exploit
expand image

This is the same vulnerability that led to the ACT government reporting a data breach last week.

Working with security company Mandiant, the company has revealed that the vulnerability affects only 5 per cent of its ESG products worldwide. However, despite repeated patching of the appliances, Barracuda and Mandiant are still seeing ongoing malware activity on the affected appliances.

More concerning, Mandiant now believes that the malware is being operated by a China-based threat actor. It is highly likely this actor — a previously unknown entity currently dubbed UNC4841 by Mandiant — is performing espionage activities on behalf of the Chinese government. The threat actors command and control infrastructure, and some of its code matches other China-nexus-based threat actors.


“The targeting, both at the organisational and individual account levels, focused on issues that are high policy priorities for the PRC, particularly in the Asia-Pacific region, including Taiwan,” Mandiant said in a recent blog post.

The threat actor’s operations — which involve data exfiltration and email monitoring — have targeted public and private organisations in 16 countries, with a particular focus on individuals and entities in Taiwan and Hong Kong and various ministries of foreign affairs in ASEAN governments.

Nearly one-third of UNC4841’s targets are government agencies, with 55 per cent of the targeted organisations being in the Americas — though Mandiant notes that may simply reflect the fact that many of Barracuda’s customers are in that region. Organisations in Europe, the Middle East, and Asia represent 24 per cent of UNC4841’s operations, and 22 per cent are in the Asia-Pacific region.

The vulnerability itself is based on how the affected gateways handle .TAR files. UNC4841 was able to take advantage of this by sending emails — often from spoofed addresses — that included specifically crafted .TAR packages that, in turn, led to a command injection and the creation of a reverse shell. From there, the threat actor was able to install a series of backdoors on the targeted ESG appliance.

Each of the backdoors — there are three: SeaSpy, Saltwater and SeaSide — has a range of functionalities, but added up, allows UNC4841 to monitor emails and specific addresses, as well as package up data for exfiltration.

“In some cases, UNC4841 downloaded individual malware files directly,” Mandiant’s researchers said. “In other cases, Mandiant observed the actor download TAR files that contained backdoor payloads along with shell scripts to install and persist them.”

In a small number of cases, Mandiant also observed the UNC4841 performing scans of the host network’s infrastructure. The threat actor was seen to use a number of open-source tools and, in one instance, scanned over 50 subnets in nine days.

While Barracuda quickly applied a number of patches to counter the malware, UNC4841 was able to modify its tactics and, indeed, its tools on the fly, maintaining persistence on affected devices despite the company’s best efforts. It’s for this reason that both Barracuda and Mandiant recommend replacing affected devices entirely. Barracuda has said it will replace the hardware at no additional cost.

“We have notified customers impacted by this incident,” Barracuda said in an update on the situation. “If an ESG appliance is displaying a notification in the user interface, the ESG appliance has indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident.”

In its blog post, Mandiant praised Barracuda for its quick response to the threat activity and for sharing telemetry and other data, and also noted that it had been working with a number of “government and intelligence partners”.

“The data provided by Barracuda enabled Mandiant to understand the full scope, investigate at scale, as well as monitor subsequent attacker activity,” Mandiant said.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.