Chinese Hackers Anticipated Barracuda ESG PatchThreat Actor Deployed an Additional Backdoor to Select Targets
Chinese espionage hackers behind an eight-month campaign to hack Barracuda email security appliances intensified their focus on high-priority targets around the time the company moved to fix the zero-day flaw behind the campaign.
Within roughly a week of Barracuda's late-May public disclosures of the zero-day flaw affording Chinese hackers access to its ESG line of products, the threat actor behind the hacking spree deployed an additional backdoor to select a sliver of targets, mainly U.S. and foreign government agencies and high-tech companies, said researchers from Mandiant.
The company, brought in by Barracuda to investigate, has linked the hack to Beijing with "high confidence" and attributed the campaign to a previously unknown Chinese threat actor dubbed UNC4841 (see: Chinese Hackers Exploit Barracuda ESG Zero-Day).
In a Tuesday update, the company said 2.64% of already compromised appliances had received the backdoor, which hackers designed to "enable infection of re-issued or clean appliances when the victim restored backup configurations from a previously compromised device." Mandiant calls the novel backdoor DepthCharge; the U.S. Cybersecurity and Infrastructure Security Agency tracks it as Submarine.
Deployment of the backdoor suggests China "anticipated and was prepared for remediation efforts." It also implies that UNC4841 is well-funded and that its campaign was a deliberate, rather than opportunistic, attempt to worm into sensitive networks. Barracuda and Mandiant said the hackers had compromised only 5% of all ESG customers.
Barracuda in early June acknowledged that its deployed patch can't guarantee the removal of the sophisticated backdoor and urged owners of ESG appliances showing indicators of compromise to immediately replace the equipment. The FBI made the same entreaty in a Wednesday flash alert (see: FBI Urges Immediate Removal of Hacked Barracuda ESG Devices).
Mandiant said it also observed the Chinese hackers in late May attempting to laterally move from hacked appliances by harvesting credentials from a temporary ESG storage location. In more than one case, hackers were able to spot cleartext credentials stored within the contents of messages and use them to log in to Outlook webmail. The hackers apparently did not send email from compromised accounts, likely because they were "attempting to maintain access to compromised users' mailboxes to gather information for espionage purposes post-Barracuda remediation."
UNC4841 has some overlaps in infrastructure with a Chinese threat actor Mandiant tracks as UNC2286, which itself overlaps with a threat actor dubbed GhostEmperor by Kaspersky and FamousSparrow by Eset. The connection is probably "an artifact of a shared infrastructure anonymization service or an infrastructure provider that is common between them."