Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks

Backdoors detailed, plus CISA releases more IOCs for IT depts to check

Nearly a third of organizations compromised by Chinese cyberspies via a critical bug in some Barracuda Email Security Gateways were government units, according to Mandiant.

And, the Google-owned team warned, it's not over yet: "Mandiant assesses that, at the time of writing, a limited number of previously impacted victims remain at risk due to this campaign."

By that, Mandiant means Beijing's spies not only broke into a relatively small number of organizations, via the vulnerability CVE-2023-2868 in Barracuda's products, they may still have access into those networks even after their victims took action to secure devices, by using earlier planted backdoors. Mandiant continues to recommend people dump and replace their at-risk Barracuda equipment.

The security outfit previously attributed the attacks on the Barracuda-made gateways to UNC4841, a China-based espionage team. In a report published yesterday, the researchers detailed three backdoors deployed by the spies on compromised networks; these backdoors not only allowed the intruders to poke around inside victims' environments, they're useful for maintaining persistent access.

Mandiant's research comes as the US goverment's Cybersecurity and Infrastructure Security Agency (CISA) released fresh indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868; these details are handy if you want to check whether you were hit by China.

UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets

The latest CISA list follows an earlier analysis by Uncle Sam of UNC4841's Barracuda backdoors, and previous IOCs linked to the bug's exploitation.

CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda ESG appliances versions to UNC4841 exploited this vulnerability as a zero-day flaw as early as October 2022, and the hole wasn't discovered and patched until May 2023. But by then the spies had already installed backdoors — some of them never seen before — in victims' networks, which allowed the intruders to maintain control and persistence even after the flaw had been fixed and patches deployed.

This prompted the vendor in early June to recommend customers rip and replace all of their ESG appliances, even if they've been patched, with Barracuda footing the bill for the new non-buggy kit.

On Friday the FBI confirmed what Mandiant had already said: snoops linked to China were most likely behind the attacks.

In a deep dive published this week, Mandiant said even after Barracuda patched the vulnerability, the spies showed "sophistication and adaptability in response to remediation efforts," and likely created their post-intrusion software tools in advance, to use against high-value target organizations' networks.

"Specifically, UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda's remediation guidance," Mandiant's latest research concluded.

UNC4841's prey

Overall, only about five percent of ESG appliances worldwide were compromised, according to Mandiant. Organizations in the US and Canada were hit the most, although this could be due to the vendor's customer base, and almost a third (27 percent) of these were government agencies, compared to 73 percent of global victims that were private-sector organizations across all industries.

"Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign," Mandiant's Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, and Michael Raggi wrote. "While overall local government targeting comprises just under seven percent of all identified affected organizations, this statistic increases to nearly seventeen percent when compared to US-based targeting alone."

Since Barracuda released a patch for CVE-2023-2868, however, local governments now make up only eight percent of the observed impacted organizations, we're told.

"This decline may represent an evolving operational priority for UNC4841 over the duration of sustained threat activity," Mandiant noted.

Regional IT providers in both the US and Europe were hot initial targets for UNC4841 during which the spies exploited the bug to deploy three backdoors, Saltwater, Seaspy, and Seaside, on the appliances.

But after dropping the sea-themed malware on the IT providers' ESGs, UNC4841 didn't do anything else. "A possible conclusion of these three malware families being observed in isolation is adversaries have not yet prioritized the infected appliances for further compromise and deployment of later stage tools attributed to UNC4841," Mandiant said.

Mandiant discussed these three malware families in research published in June.

But wait, there's more backdoors

In its latest write-up, the threat intel team detailed a second, "previously undisclosed wave" of attacks beginning in early June — around the time that Barracuda told customers to "immediately" replace infected ESG products.

"In this second wave, Mandiant discovered the actor attempting to maintain access to compromised environments via the deployment of the new malware families Skipjack, Depthcharge, and Foxtrot / Foxglove," the report stated. 

"This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841's determination in preserving access to specific victim environments," it added.

Of the three backdoors deployed in this second surge, Skipjack was the most widely used and Mandiant observed it on about 5.8 percent of all compromised ESG appliances. The snoops primarily targeted government and tech organizations with the Skipjack malware.

It trojanizes legitimate Barracuda ESG modules, injects malicious code, and "establishes its backdoor capabilities by registering a listener for specific incoming email headers and subjects, and then decoding and executing the content of them," Madniant said.

The second backdoor, which Mandiant named Depthcharge and CISA tracks as Submarine, was designed to infect new, clean devices when the victim orgs restored backup configurations from their previously compromised appliances.

Both of these were designed specifically for Barracuda ESGs.

The third malware, Foxtrot and Foxglove, wasn't designed expressly for Barracuda ESGs. Mandiant says it only observed this backdoor being used on government or government-related devices at high-priority targets.

Mandiant recommends organizations continue to hunt for activity on their networks that could indicate the presence of UNC4841 as the ongoing investigation has shown the cyberspies to be "highly responsive to defensive efforts," modifying their tactics "continue their espionage operation." ®

More about


Send us news

Other stories you might like