Summary:
A sophisticated threat actor group known as UNC4841 has been identified as actively targeting Barracuda Email Security Gateway (ESG) appliances. This campaign, which began as early as October 2022, exploits a critical zero-day vulnerability (CVE-2023-2868) present in specific versions of the Barracuda ESG. UNC4841's primary objective is to conduct espionage operations across multiple sectors and regions. This threat advisory provides an overview of the technical details related to the campaign and recommendations for affected organizations.
The identified vulnerability, CVE-2023-2868, is a remote command injection flaw that affects the Barracuda ESG appliance form factor versions 5.1.3.001-9.2.0.006. This vulnerability arises during the processing of email attachments, specifically in the parsing logic for TAR files. UNC4841 leverages this vulnerability by crafting TAR file attachments with specially formatted content, enabling the execution of system commands with the privileges of the compromised ESG appliance. UNC4841 employs various methods to deliver their malicious emails. These tactics include spoofing "from" addresses from non-existent domains or domains that they likely do not control. By using these deceptive techniques, the threat actors aim to bypass email security measures and increase the chances of successful delivery. Once the malicious TAR file attachments are delivered and opened on vulnerable ESG appliances, UNC4841 initiates a multi-step payload execution process. The initial exploit triggers a reverse shell payload, granting remote access to the compromised ESG appliance. The threat actor then deploys multiple backdoors, including SEASPY, SALTWATER, and SEASIDE, to establish persistence and maintain control over the compromised devices.
SEASPY is the primary backdoor utilized by UNC4841, providing unauthorized access and enabling the execution of arbitrary commands on the compromised ESG appliances. SALTWATER, a trojanized module for the Barracuda SMTP daemon (bsmtpd), grants additional capabilities such as file manipulation, command execution, and proxy functionality. SEASIDE, a Lua-based module, monitors specific SMTP commands to establish a reverse shell by decoding and passing encoded command and control (C2) information to an external binary (WHIRLPOOL). In addition to deploying backdoors, UNC4841 also trojanizes legitimate Barracuda LUA modules. By inserting additional callback logic, the threat actors can execute code when specific email-related events occur within the appliance. This compromises the appliance's functionality and potentially allows for the exfiltration of sensitive data.
The UNC4841 Barracuda ESG campaign poses a significant threat to organizations utilizing these appliances. The threat actors have demonstrated a high level of adaptability, constantly modifying their tactics, techniques, and procedures (TTPs) to evade detection. It is crucial for affected organizations to maintain a proactive stance and conduct thorough investigations to identify and mitigate the presence of UNC4841 within their networks. Organizations should remain vigilant, continue hunting for UNC4841's activity, and implement comprehensive network monitoring and detection capabilities.
Recommendations:
Threat Profile:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| T1053 | Scheduled Task/Job | |
| Defense Evasion | T1112 | Modify Registry |
| T1036 | Masquerading | |
| T1070 | Indicator Removal | |
| Discovery | T1046 | Network Service Discovery |
| T1087 | Account Discovery | |
| Collection | T1074 | Data Staged |
| Command and Control | T1105 | Ingress Tool Transfer |
| T1573 | Encrypted Channel | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1485 | Data Destruction |
References:
The following reports contain further technical details:
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally