Tag Archive for: Barracuda

Alert: Chinese Threat Actors Exploit Barracuda Zero-Day Flaw

/in


In recent developments, Barracuda, a prominent network and email cybersecurity firm, has been grappling with a zero-day vulnerability. The vulnerability has been identified as CVE-2023-7102 in its Email Security Gateway (ESG) appliances. The situation has been exacerbated by the active exploitation of this flaw by a Chinese hacker group known as UNC4841 Chinese. In this blog, we’ll look into the Barracuda zero-day flaw, exploring its intricacies and the consequential impact on cybersecurity.


The Barracuda Zero-Day Flaw

 

The root cause of the Barracuda ESG appliances vulnerability lies in a weakness within the Spreadsheet::ParseExcel third-party library, integral to the Amavis virus scanner running on Barracuda ESG appliances. The flaw enables threat actors to execute arbitrary code on vulnerable ESG devices through parameter injection.

 

Barracuda Zero-Day Flaw Exploited By Chinese Hackers

 

UNC4841 leveraged this Arbitrary Code Execution (ACE) vulnerability to deploy a meticulously crafted Excel email attachment, exploiting the Spreadsheet::ParseExcel library. As a result, a limited number of ESG devices fell prey to the attack, giving rise to cybersecurity threats in ESG appliances

Barracuda responded swiftly by deploying a patch on December 22, 2023, to remediate compromised ESG appliances, which exhibited indicators of compromise linked to new variants of SEASPY and SALTWATER malware.

In the ongoing investigation of the Barracuda zero-day flaw, the organization assured customers that no immediate action is required. They also emphasized their commitment to resolving the issue and ensuring the security of ESG appliances.

 

CVE-2023-7101: A Wider Concern


Notably, Barracuda has filed CVE-2023-7101 for a vulnerability in the open-source library, impacting various products across multiple organizations. As of now, this concern remains unaddressed, adding an extra layer of urgency to the cybersecurity landscape.


A Recap of May’s Security Warning


These zero-day exploits in network security devices aren’t the first time Barracuda has faced cybersecurity challenges. In May, the company issued a warning to customers about breaches in some of its Email Security Gateway…

Source…

Barracuda report reveals half of all internet traffic is bot-generated

/in


A recent report by Barracuda, a trusted partner and provider of cloud-first security solutions, has unveiled some rather unsettling discoveries about internet traffic. The report indicates that approximately half (48%) of all internet traffic is now bot traffic, and a relatively significant portion of this- 30%- is attributed to harmful bots.

The findings are part of Barracuda’s latest Threat Spotlight report. It examines how bot traffic has changed over the years and the emerging threats to cybersecurity.

The bad news is that although the percentage of bot traffic has lessened from 39% in 2021 to 30% in 2023, the nature of these bot attacks has evolved and is taking a more dangerous shape.

The categorisation of bots is broadly classified into two types: good and bad. Good bots are search engine crawlers or content monitors which keep the internet functioning, while bad bots are programmed with ill intentions. These can range from basic scraping to advanced distributed denial-of-service attacks.

An analysis of bot traffic origins in the first six months of 2023 shows that the majority (72%) originated from the U.S., followed by the U.A.E (12%), Saudi Arabia (6%), Qatar (5%) and India (5%). Barracuda researchers, however, caution that these figures are skewed towards the U.S., with 67% of the traffic from bad bots hailing from public cloud data centres’ IP ranges.

The researchers further highlighted that the bulk of harmful bot traffic originates from two major public clouds, AWS and Azure. This could be because setting up an account with these service providers is free and relatively easy. Attackers use them to orchestrate bad bot attacks, the report suggests.

The study also discovered that a third of bad bot traffic is generated from residential IP addresses. This is typically a veil, with bot creators using these residential IPs through proxies in a bid to bypass IP blocks and remain undetected.

Reflecting on the findings, Mark Lukie, Director of Solution Architects at Barracuda, Asia-Pacific, says: “The findings show that bots are getting cleverer, and attacks against APIs are increasing. This is likely due to many organisations having weak authentication…

Source…

Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom

/in


Barracuda Zero-Day

A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign.

Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as “highly responsive to defensive efforts” and capable of actively tweaking their modus operandi to maintain persistent access to targets.

“UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance,” the Google-owned threat intelligence firm said in a new technical report published today.

Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromises appear to have taken place on a small number of devices geolocated to mainland China.

The attacks entail the exploitation of CVE-2023-2868 to deploy malware and conduct post-exploitation activities. In select cases, the intrusions have led to the deployment of additional malware, such as SUBMARINE (aka DEPTHCHARGE), to maintain persistence in response to remediation endeavors.

Further analysis of the campaign has revealed a “distinct fall off in activity from approximately January 20 to January 22, 2023,” coinciding with the beginning of the Chinese New Year, followed by two surges, one after Barracuda’s public notification on May 23, 2023, and a second one in early June 2023.

Cybersecurity

The latter is said to have involved the attacker “attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE.”

While SKIPJACK is a passive implant that registers a listener for specific incoming email headers and subjects before decoding and running their content, DEPTHCHARGE is pre-loaded into the Barracuda SMTP (BSMTP) daemon using the LD_PRELOAD environment variable, and retrieves encrypted commands for execution.

Barracuda Zero-Day

The earliest use of DEPTHCHARGE dates back to May…

Source…

Barracuda patch bypassed by novel malware from China-linked threat group

/in


This audio is auto-generated. Please let us know if you have feedback.

Barracuda email security gateway devices were hit by a cyber espionage campaign from a China-nexus threat group that bypassed remediation efforts and continued unleashing attacks against high value targets, according to research Mandiant released Tuesday.

The threat group, listed as UNC4841, deployed sophisticated malware designed to maintain a presence inside a subset of certain high priority target organizations even after security updates were released for the Barracuda devices. 

Barracuda and Mandiant said they have seen no evidence of a successful exploit of the remote command injection vulnerability, CVE-2023-2868, since Barracuda released a patch on May 20.

Barracuda CISO Riaz Lakhani told Cybersecurity Dive that the patch fully addressed the zero-day vulnerability, and compromised appliances were given additional patches to address the actions of the threat actor.

“Out of an abundance of caution, Barracuda’s recommended remediation for any compromised appliance is replacement,” Lakhani said via email, noting that compromised customers were told to contact the company’s support line.

In June, Mandiant disclosed the hackers were involved in a massive cyber espionage campaign, where they leveraged the devices to send malicious email attachments to targeted government offices in the U.S. and abroad and private sector companies. 

Mandiant said many of the government targets in North America include state and local governments, judiciaries, law enforcement agencies, social services and several incorporated towns. Most of the observed compromises took place during the early months of the campaign, from October to December 2022.

The FBI issued a flash alert in late August warning users to isolate and replace affected Barracuda ESG devices, saying that hackers affiliated with the People’s Republic of China were continuing to exploit the devices. 

According to Mandiant, a…

Source…