According to Mandiant, Chinese state-sponsored hackers exploited the vulnerability in Barracuda ESG devices. The hackers created victims in at least 16 countries and a high number of government agencies were affected.
Mandiant was put in charge of investigating vulnerability CVE-2023-2868. First found on May 19, 2023, in Email Security Gateway (ESG) appliances from Barracuda Networks.
The vulnerability enables a remote command injection attack. Hackers have been exploiting the vulnerability since October 2022 to steal sensitive information.
Espionage by China
The stolen information now appears to be funneled to the Chinese government, according to research by Mandiant. Thus, much information from government agencies also ended up in the hands of China. One-third of the victims are government agencies.
It is unclear which hacker group is involved. Security researchers call it in the meantime UNC4841. Security researchers base their claim on infrastructure and malware code overlap with other China-backed groups. In addition, it is notable that hackers specifically sought email accounts in countries with political importance to China.
The first email containing malware to exploit the vulnerability was dated Oct. 10, 2022. On May 19, 2023, the actions of UNC4841 first came on the radar of the Barracuda team. Two days later, the company released a patch to stop the exploit, but the hacker group responded by modifying the malware. As a result, the patch could not remove the hacker group from affected devices. Barracuda has since asked customers of affected devices to replace the devices completely.