UNC4841 Up to No-Good!
A hacking group, suspected to have ties with China, has exploited a recently discovered vulnerability in Barracuda Networks Email Security Gateway (ESG) appliances.
Exploitation of this vuln is part of a global espionage campaign targeting government, military, defense and aerospace, high-tech industry, and telecom sectors. The group, dubbed UNC4841 by Mandiant, (the Google-owned threat intelligence firm), is highly adaptable, adjusting their tactics in response to defensive measures.
They have deployed new and unique malware to maintain a foothold in high-priority targets, even after Barracuda’s remediation guidance was released. Government agencies make up nearly a third of the compromised organizations. Interestingly, some of the earliest breaches were traced back to devices located in mainland China.
The hackers used the CVE-2023-2868 vulnerability to deploy malware and conduct post-exploitation activities. In some instances, additional malware like SUBMARINE (also known as DEPTHCHARGE) was deployed to maintain persistence despite remediation efforts. The campaign saw a significant decrease in activity from January 20 to January 22, 2023, coinciding with the Chinese New Year.
Boomerang!
Unfortunately, it picked up again after Barracuda’s public notification on May 23, 2023, and saw another surge in early June 2023. This latter surge involved the deployment of new malware families, SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE (which are obviously named by Google employees trying to sound like military commanders, and not a Chinese APT group. Honestly, I think you’d get arrested by your boss if you were a government employed Chinese hacker and started saying stuff like “BRAVO OSCAR OSCAR BRAVO SIERRA.”)
SKIPJACK (called “dessert fish” by People’s Liberation Army 61398) is a passive implant that decodes and runs content from specific incoming email headers and subjects. DEPTHCHARGE (PLA code- “bathroom bomb”), on the other hand, is pre-loaded into the Barracuda SMTP (BSMTP) daemon and retrieves encrypted commands for execution.
The earliest use of DEPTHCHARGE was recorded just days after Barracuda publicly disclosed the flaw, indicating a high level of preparation and an attempt to persist within high-value environments.
The third malware strain, FOXTROT (PLA “happy fox moonlight dance”), is a C++ implant launched using a C-based program called FOXGLOVE (foxer briefs). It captures keystrokes, runs shell commands, transfers files, and sets up a reverse shell.
Editorial Note: I really like that the Chinese are still writing straight CPP. Good job fellas. Also, stop doing international crimes. Thanks.
Reptile is a Sneaky Snek
FOXTROT shares similarities with an open-source rootkit called Reptile (PLA Term – “Snek”), used by multiple Chinese hacking groups recently. UNC4841 has also been observed performing internal reconnaissance and lateral movement within a limited number of victim environments.
In some cases, they used Microsoft Outlook Web Access (OWA) to attempt to log in to mailboxes within the organizations. As an alternative form of remote access, they created accounts within the /etc/passwd file on about five percent of the previously impacted appliances.
sneakysnek_notchina:x:0:0:root:/root:/bin/bash
The group’s suspected Chinese connections are further supported by shared infrastructure and techniques with another group, UNC2286, which is linked to other Chinese espionage campaigns known as FamousSparrow and GhostEmperor (also named by Americans).
In light of these events, the U.S. Federal Bureau of Investigation (FBI) has urged affected customers to replace their ESG appliances immediately due to continued risk of breach by cybercriminals.
Editorial Note: Someone at barracuda needs to pick up the pace. The federal government basically just told everyone to throw your product in the garbage.
Mandiant has highlighted UNC4841’s resourcefulness and ability to deploy more payloads to specific victim environments, predicting that Chinese cyber espionage operations targeting edge infrastructure with zero-day vulnerabilities will likely continue.
