October 2, 2023

Mandiant researchers have warned that alleged Chinese attackers have and are continuing to target a zero-day vulnerability in Barracuda devices.

The vulnerability in Barracuda’s Email Security Gateway – tracked as CVE-2023-2868 – was patched in May. After the release of the patch, Mandiant and Barracuda did not identify evidence that any malicious actors were still actively exploiting the vulnerability, be it a small number of ESG appliances were affected before the patch was released.

Later, strong evidence emerged that the vulnerability was still being targeted, with Barracuda advising customers to replace vulnerable email security applications irrespective of their patch status in order to address the attacks.


Mandiant first linked the attacks to alleged Chinese state-sponsored attackers in June, saying at the time that the hackers had altered their malware soon after Barracuda had released the patch in May. The hackers were also said to have deployed additional “persistence mechanisms” designed to maintain their access to victims’ networks.

Now, report unveils how the alleged Chinese hackers primarily targeted and breached government and government-linked organizations worldwide, including in North America. Almost a third of appliances that were hacked were found to belong to government agencies, with the peak of attacks occurring between October and December of last year.

There were numerous state, provincial, county, tribal, city, and town offices around North America that were targeted in this campaign,While overall local government targeting comprises just under 7% of all identified affected organizations, this statistic increases to nearly 17% when compared to U.S.-based targeting alone.


The primary purpose of the hacking group – known by Mandiant as UNC4841 was, unsurprisingly, espionage. Other targets by the hacking group also included companies and organizations in the military, defense, aerospace, high-tech, and telecommunications sectors.

A most worrying part is that even devices that were patched remained vulnerable and were still being compromised. The ability to drop malware, especially Remote Access Trojans, which will allow the bad actors to maintain persistence even after the initial entry point is fixed, should be especially worrying for organizations impacted by this or using these appliances

Leave a Reply

%d bloggers like this: