Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Barracuda email cyberattack may have been used by hackers to spy on US government

Hacker

Cybersecurity firm and Google Cloud subsidiary, Mandiant, has announced suspicions that Chinese-backed spies could have been behind the exploitation of a zero-day vulnerability in the Barracuda Email Security Gateway (ESG).

Researchers have tracked attacks to a China-nexus actor who appears to have been conducting espionage “spanning a multitude of regions and sectors,” including the US government.

The announcement details how the attacker, codenamed UNC4841, sent emails containing malicious files to target organizations that would exploit CVE-2023-2868 in order to gain initial access to vulnerable Barracuda ESG appliances.

Chinese spies could be behind the Barracuda ESG attack

The CVE description details the vulnerability that affected versions 5.1.3.001-9.2.0.006:

“A remote attacker can specifically format [.tar] file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.”

According to the security workers, public and private sectors were targeted, with more than half (55%) being in the Americas. The remaining came in almost equal parts from the EMEA and APAC regions, with attacks showing a clear focus “on issues that are high policy priorities for the [People’s Republic of China].”

The BNSF-36456 patch was automatically applied to all appliances, however attacks could have been going on undetected from October 2022 until May 2023 - a period spanning more than seven months.

Mandiant, who was responsible for raising the concern, said in a statement that it “commends Barracuda for their decisive actions, transparency, and information sharing following the exploitation of CVE-2023-2868 by UNC4841.”

Nonetheless, the true identity of UNC4841 remains unconfirmed, with the group still at large and likely operating or developing other attacks and exploiting vulnerabilities elsewhere.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.