The FBI has urged users of affected Barracuda appliances to replace them immediately, after warning that they’re still being targeted by a Chinese APT group.
A Flash update issued by the agency this week revealed that zero-day vulnerability CVE-2023-2868 continues to be exploited by the group, dubbed UNC4841 by Mandiant, in cyber-espionage attacks.
“Barracuda customers should remove all ESG appliances immediately. The patches released by Barracuda in response to this CVE were ineffective,” the alert noted.
“The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit. In addition, customers should further investigate for any further compromise by conducting scans for outgoing connections using the list of indicators provided as the malicious cyber actors have demonstrated the ability to compromise email accounts and computer networks, as well as maintain persistence in victim networks for continued future operations and data exfiltration.”
On June 6, Barracuda Networks took the unusual step of urging customers to isolate and replace their Email Security Gateway (ESG) appliances, whatever their patch status, after it became clear that its attempts to patch the zero-day bug weren’t working.
The APT group linked to China has been able to switch malware and deploy new persistence mechanisms to maintain access.
“Based on the FBI’s investigation to date, the cyber actors exploited this vulnerability in a significant number of ESG appliances and injected multiple malicious payloads that enabled persistent access, email scanning, credential harvesting, and data exfiltration,” the FBI explained.
“In many cases, the cyber actors obfuscated their actions with counter-forensic techniques, making detection of compromise difficult through only scanning the appliance itself for indicators of compromise. As a result, it is imperative that networks scan various network logs for connections to any of the listed indicators.”
The FBI urged Barracuda ESG customers to:
- Review email logs to identify the initial point of exposure
- Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise
- Revoke and reissue all certificates that were on the ESG at the time of compromise
- Monitor the entire network for the use of credentials that were on the ESG at the time of compromise
- Review network logs for signs of data exfiltration and lateral movement
- Capture forensic image of the appliance and conduct a forensic analysis