FBI Urges Immediate Removal of Hacked Barracuda ESG DevicesBureau Warns of 'Active Intrusions' as Chinese Hackers Defeat Countermeasures
The FBI urged the immediate removal of previously hacked email security appliances made by Barracuda Networks in a Wednesday flash alert, injecting fresh urgency into the push to stymie what's been called the broadest Chinese cyber spying campaign in years.
"The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit," the bureau's cyber division states. The vulnerability is tracked as CVE-2023-2868.
"Barracuda customers should remove all ESG appliances immediately," the warning also says.
Barracuda in early June urged owners of hacked Email Security Gateway appliances to immediately replace their equipment regardless of whether they had applied patches to fix the vulnerability. The advisory came after the company had observed continued malicious activity on previously compromised appliances, even after they had been updated with security fixes.
A Barracuda spokesperson Wednesday evening told Information Security Media Group the company believes the FBI warning is consistent with its earlier guidance that only owners of previously hacked devices should replace their appliances. ISMG contacted the FBI requesting clarification. The FBI responded Thursday afternoon that its guidance is that "customers should discontinue use of the compromised ESG appliance."*
Suspected Chinese hackers in a state-run cyberespionage operation have exploited the vulnerability in the popular email security appliance to compromise hundreds of organizations. Security researchers from Mandiant determined in June that attackers had begun to exploit the zero-day last October, and possibly earlier. "This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021," Charles Carmakal, Mandiant's chief technical officer, said in a June statement (see: Chinese Hackers Exploit Barracuda ESG Zero-Day).
Barracuda issued its first ESG security patch on May 20, after observing hack attacks on May 19. The vulnerability allowed hackers to send a malicious
TAR archive file resulting in a command injection into the appliance. The security appliance scanning the attachment triggered the attack.
Mandiant, brought in by Barracuda to investigate, linked the hack to Beijing with "high confidence" and attributed the campaign to a previously unknown Chinese threat actor newly dubbed UNC4841. The threat actor "has been deploying new and novel malware to a small subset of high-priority targets following the remediation of CVE-2023-2868," said Kevin Mandia, CEO of Mandiant, in a statement emailed Wednesday.
Hackers responded to Barracuda's patch by modifying its primary backdoor to evade detection. Dubbed Submarine, the updated backdoor "lives in a structured query language (SQL) database on the ESG appliance," the Cybersecurity and Infrastructure Security Agency said Friday in an advisory.
"This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide," Mandia said.
*Update August 24, 2023 21:11 UTC: Adds clarification from the FBI that the bureau's guidance is to remove previously hacked Barracuda ESG appliances, not all Barrauda ESG appliances.