According to Mandiant researchers, some previously compromised Barracuda Networks ESG email gateways remain vulnerable to an ongoing compromise, despite warnings to users to swap out the devices.

In a report released this week, the company states that a limited number of previously affected victims remain at risk due to an attack campaign by a China-allied spy group called UNC4841, exploiting a remote command injection vulnerability (CVE – 2023-2868). .

Compromised gateways that contained malware and a backdoor to maintain persistence have been hit so hard that Barracuda, the US Cybersecurity and Infrastructure Security Agency and the FBI have asked network administrators to dispose of the devices rather than destroy them.

The gang’s global espionage campaign began eight months ago, the report said. The US and Canada were the main destinations, followed by China, Germany, the Netherlands, Poland, Japan and Vietnam.

Almost a third of the affected organizations identified are government agencies. The second largest sector is high technology and information technology companies.

Affected North American organizations included state, provincial, county, tribal, and city agencies, including law enforcement, courts, and social services, as well as several incorporated cities.

But companies in semiconductors, public health, aerospace, artificial intelligence/autonomous vehicles and rare earth metals production have also been affected.

A sign of the determination of this cybercriminal: After Barracuda announced the vulnerability on May 23, he deployed new malware. Mandiant calls these malware families Skipjack (a passive backdoor for eavesdropping on communications), DepthCharge (a backdoor called Submarine by the US Cyber ​​and Infrastructure Security Agency), Foxglove (a malware launcher), Foxtrot (the associated payload which, among other things, can capture keystrokes) and a version two of SeaSpy (a passive backdoor). The goal was to maintain a presence on a small subset of high-priority targets that he had compromised either before the patch was released or shortly after Barracuda’s remediation instructions.

According to the report, however, since Barracuda released a patch for ESG devices on May 20, Mandiant and Barracuda have not found any evidence of a successful exploitation of CVE-2023-2868 that would have resulted in compromised physical or newly compromised virtual ESG devices .

Only 5 percent of all installed ESGs were compromised. No other Barracuda products, including Barracuda’s SaaS messaging solutions, were affected by this vulnerability.

Mandiant believes UNC4841 likely used message content stored in the mstore, a temporary storage location on ESG devices, to collect credentials. Mandiant repeatedly identified clear-text credentials in message content stored in the ESG, which UNC4841 then leveraged to successfully access the account via Outlook Web Access (OWA) on the first attempt.

In more than one instance, the report said, Mandiant saw the hacker using OWA to attempt to connect to the mailboxes of users in the victim organization. In one case, a relatively small number of failed OWA access attempts resulted in a limited number of accounts being locked out. In cases where UNC4841 was able to gain unauthorized access to a limited number of accounts, Mandiant was unable to determine that UNC4841 had sent email from the compromised account.

Mandiant believes that after the ESG devices were updated, the attacker likely attempted to maintain access to compromised user mailboxes to gather information for spying purposes.

In addition to attempts to side-switch to Active Directory and OWA, Mandiant also saw attempts by UNC4841 to side-switch to VPNs, proxies, and other edge devices on victims’ networks via SSH.

Sometimes the attacker can create accounts on ESG devices as another form of remote access. The actor would then start an SSH daemon process that would listen on a specific high port and allow login from that newly created user account, thus maintaining backdoor access to compromised devices.

Mandiant anticipates that the UNC4841 will continue to target edge devices.

The original article is available at IT world Canadaa sister publication of computer science direction.

French adaptation and translation by Renaud Larue-Langlois.