Barracuda Vulnerability Exploit Attributed to China

Resesrchers attributed the recently discovered hacking campaign targeting Barracuda ESG customers were launched by China-linked hackers.

On May 19, Barracuda discovered a hacking campaign targeting customers of its email security gateway appliances. Companies and government agencies use such appliances to scan employees’ messages for malware. Barracuda determined that hackers had been targeting customers as early as last October.

The hackers carried out the cyberattacks using a zero-day, or previously unknown, vulnerability in the company’s appliances. Barracuda issued a patch to fix the vulnerability a few days after it discovered the malware campaign. A few weeks later, it instructed customers to remove affected appliances from their networks even if they downloaded the patch.

The malware campaign was carried out by a threat actor referred to as UNC4841. After analyzing UNC4841’s tactics, it found “points of overlap with infrastructure” used by other China-linked hacking groups.

UNC4841 targeted Barracuda customers using emails containing a malicious attachment. The attachment infected vulnerable appliances with three malicious programs disguised as legitimate Barracuda software.

After breaching victims’ networks, the hackers took steps to aggressively target specific data of interest for exfiltration, UNC4841 also conducted lateral movement.

It is recommended that Barracuda customers review network and email logs for signs of malicious activity. Moreover, affected organizations are advised to change any login credentials that may have been stored on their vulnerable Barracuda appliances.

This research was documented by researchers from Mandiant.

Indicators of Compromise