Barracuda patch bypassed by novel malware from China-linked threat group
Barracuda email security gateway devices were hit by a cyber espionage campaign from a China-nexus threat group that bypassed remediation efforts and continued unleashing attacks against high value targets, according to research Mandiant released Tuesday.
The threat group, listed as UNC4841, deployed sophisticated malware designed to maintain a presence inside a subset of certain high priority target organizations even after security updates were released for the Barracuda devices.
Barracuda and Mandiant said they have seen no evidence of a successful exploit of the remote command injection vulnerability, CVE-2023-2868, since Barracuda released a patch on May 20.
Barracuda CISO Riaz Lakhani told Cybersecurity Dive that the patch fully addressed the zero-day vulnerability, and compromised appliances were given additional patches to address the actions of the threat actor.
“Out of an abundance of caution, Barracuda’s recommended remediation for any compromised appliance is replacement,” Lakhani said via email, noting that compromised customers were told to contact the company’s support line.
In June, Mandiant disclosed the hackers were involved in a massive cyber espionage campaign, where they leveraged the devices to send malicious email attachments to targeted government offices in the U.S. and abroad and private sector companies.
Mandiant said many of the government targets in North America include state and local governments, judiciaries, law enforcement agencies, social services and several incorporated towns. Most of the observed compromises took place during the early months of the campaign, from October to December 2022.
The FBI issued a flash alert in late August warning users to isolate and replace affected Barracuda ESG devices, saying that hackers affiliated with the People’s Republic of China were continuing to exploit the devices.
According to Mandiant, a…
