Chinese spies blamed for data-harvesting raids on Barracuda email gateways

Snoops 'aggressively targeted' specific govt, academic accounts

Chinese spies are behind the data-stealing malware injected into Barracuda's Email Security Gateway (ESG) devices globally as far back as October 2022, according to Mandiant.

Barracuda discovered a critical bug, tracked as CVE-2023-2868, in these appliances on May 19, we're told, and pushed a patch to all affected products the following day. 

At the time, it said miscreants had been abusing the flaw to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes for at least seven months.

Last week, the vendor told customers to "immediately" replace infected kits, even if they received a patch to fix the remote command injection vulnerability. And don't worry about cost: Barracuda will give all compromised customers a new ESG device for free.

Meanwhile, Mandiant, who has been working with Barracuda to investigate the exploit used and the malware subsequently deployed, today identified a China-based threat group it tracks as UNC4841, and said the snoops targeted a "subset" of Barracuda ESG appliances across several regions and sectors.

"Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," the Google-owned threat intel team said today.

In an emailed statement to The Register, Barracuda confirmed Mandiant's assessment of the threat actor behind the attacks, and said as of June 10, about five percent of ESG appliances have shown evidence of an infection.

"Barracuda is committed to providing transparency around the incident, as well as the information on actions taken to protect customers. Barracuda believes that transparency is in the best interest of its customers, partners, and the greater security community," the statement read. "Collaboration and transparency are important as the industry works together to defend against increasingly sophisticated and aggressive threat actors."

Intrusions started with overly spammy emails

Mandiant, which described UNC4841 as an "aggressive and skilled" crew, said the intrusion started with emails sent to victim organizations. However, the spies didn't want the victims to open the email. Instead they used generic subject and message content, poor grammar and placeholder values to make the email look like spam, get flagged by filters and sent straight to the junk folder, and then — hopefully — avoid a full investigation by security analysts.

"Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past," the analysts said.

The emails contained malicious file attachments designed to exploit CVE-2023-2868 and grant access to vulnerable appliances, and after breaking in to the buggy boxes, the spies used three pieces of malware – dubbed Saltwater, Seaspy, and Seaside – to backdoor the appliances, maintain a persistent presence, upload files, and steal data.

"All three code families attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware families detailed for the first time in this blog post," Mandiant said. 

Academics, govt officials 'aggressively targeted'

After compromising the products, UNC4841 also used its access to the ESG devices to send mail to other appliances, move laterally in the victims' networks for further reconnaissance, and "aggressively target" specific data for exfiltration.

Specifically, the spies stole messages belonging to high-profile academics in Taiwan and Hong Kong, and Asian and European government officials in Southeast Asia, we're told.

"In the set of entities selected for focused data exfiltration, shell scripts were uncovered that targeted email domains and users from ASEAN Ministry of Foreign Affairs (MFAs), as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong," according to Mandiant. 

"In addition, the actors searched for email accounts belonging to individuals working for a government with political or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries," the threat intel analysts added.

After tossing out the compromised kits, per Barracuda's earlier advice, Mandiant also recommends organizations perform their own investigation and hunt for indicators of compromise (IOCs) within their networks — both Mandiant and Barracuda have provided network IOCs.

Also, review email logs to look for initial points of exposure, revoke and rotate credentials that were on the ESG at the time of compromise, and revoke and reissue the ESG certificates.

Also, monitor the entire environment for use of certificates that were on the ESG at the time of compromise.

Different Chinese spies exploit VMware bug

The Mandiant and Barracuda disclosure today follows another case of Chinese spies exploiting a critical bug to steal data that came to light earlier this week. 

On Tuesday, VMware issued a security update to fix an authentication bypass vulnerability in VMware Tools that affects ESXi hypervisors, tracked as CVE-2023-20867. It turned out that miscreants had already found and abused the bug.

"A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine," the virtualization giant said.

According to Mandiant, a Chinese cyber espionage group that it tracks as UNC3886 found and exploited the flaw before VMware issued a patch. Mandiant spotted this same gang targeting VMware hypervisors for spying purposes back in 2022.

Mandiant researchers told The Register that they are not aware of any overlap between the two China-based threat actors or the Barracuda and VMware exploits. ®

Speaking of security...

  • Watch out for fake exploits: they are usually laced with malware. When researching a vulnerability, and looking for code that exploits the bug, take care with the materials you find. VulnCheck this week pointed out a great example of this: miscreants impersonating real cybersecurity folk to push proof-of-concept zero-day exploit code on GitHub and Twitter, for things like Chrome, Signal and Discord, that turn out to be bogus and instead run malicious binaries.
  • Microsoft patched two XSS vulnerabilities in Azure. Specifically, in Azure Bastion and Azure Container Registry, which could have been exploited by "an unauthorized user to gain access to a target user’s session within the compromised Azure service, and subsequently lead to data tampering or resource modification," as Redmond put it this week. Both holes were fixed in May, and Microsoft said there was no evidence of exploitation. Orca is credited with finding and reporting the bugs, and has a write-up here.
  • And Microsoft has detailed a Russian GRU crew dubbed Cadet Blizzard, which is apparently responsible for the WhisperGate data-destroying malware that hit Ukraine as Russia invaded the nation last year.

More about


Send us news

Other stories you might like