The Barracuda Software company reported that their ESG (Email Security Gateway) software has been actively exploited since October 2022. This exploitation primarily affects versions 5.1.3001 through 9.2.0.006.
The ongoing attack used a zero-day vulnerability labeled “CEV-2023-2868” and was most likely exploited by the Chinese-affiliated group “UNC4841.” UNC4841 is known for cyber attacks that are aligned with strategic goals of the People’s Republic of China.
This particular cyber espionage attack impacted a number of victims across more than 15 countries. UNC4841 gained initial access through a targeted phishing campaign that contained a malicious attachment exploiting the CVE-2023-2868 vulnerability. The exploit used code families known as SALTWATER, SEASPY, and SEASIDE, disguising themselves as Barracuda services to evade detection.
One of the more clever aspects of this hack was the purposeful misspellings and poorly written parts of the email to trick the ESG into disregarding the email immediately into the spam folders. This would make it more likely to be clicked on than an email that doesn’t make it into an inbox at all. UNC4841 used an aggressive approach to stealing and exporting very specific data sets that aligned with the group’s overall goal of supporting Chinese strategy. Some of the targets include European and Asian government officials and important academics from both Hong Kong and Taiwan.
On June 6th, Barracuda advised all affected customers to immediately isolate and replace the infected Barracuda devices. Although Barracuda released two patches, they eventually recommended total device replacement for their affected customers. The effectiveness of the patches was nullified by modifications made by UNC4941 to SEASPY and SALTWATER, rendering the patching process inadequate.