Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
How a Chinese gang infiltrated Barracuda mail gateways and hacked into dozens of organizations.
Mandiant confidently confirmed that Chinese hackers from the UNC4841 group actively exploited the CVE-2023-2868 zero-day vulnerability in Barracuda's Email Security Gateway (ESG) products. The attacks continued for a long time and were directed mainly against government organizations in the United States, Canada and a number of other countries.
The CVE-2023-2868 vulnerability allows remote code execution on the victim's device. The existence of the gap became known only in May of this year, when real attacks using this vulnerability date back to the previous year.
Barracuda released a fix patch on May 20th, but it was later found to be completely ineffective. In this regard, the company was recently even criticized by representatives of the FBI.
Ultimately, Barracuda came to the conclusion that no software patches would help to reliably protect client networks, and customers needed to physically replace vulnerable devices.
Mandiant experts conducted an in-depth investigation into the activities of UNC4841 hackers and identified two waves of attacks. The first one started back in November 2022, and the second one in May-June 2023, after the release of the ineffective patch. In the second wave, the attackers used the new Skipjack, Depthcharge, and Foxtrot malware to keep their most valuable targets safe.
According to experts, the UNC4841 group acts in the interests of the Chinese special services and is highly professional. More than 15% of the victims are national government organizations, 10% are local authorities.
Companies in the field of high technologies, telecommunications, and education were also attacked. Overall, this is consistent with China's intelligence interests.
Mandiant experts were unable to link UNC4841 to any known Chinese hacker group, although they did find some infrastructure overlaps with another group, UNC2286. But this may simply indicate interactions between various Chinese factions.
Thus, the prolonged cyber incident demonstrated the high level of training and perseverance of Chinese hackers. Despite countermeasures, they managed to maintain access to valuable systems and continue their espionage activities.
Mandiant experts believe that the UNC4841 hackers will continue their malicious operation in the future, but using updated tools and techniques. Affected organizations should conduct thorough security investigations of their networks and prepare well for the next possible wave of attacks.
Mandiant confidently confirmed that Chinese hackers from the UNC4841 group actively exploited the CVE-2023-2868 zero-day vulnerability in Barracuda's Email Security Gateway (ESG) products. The attacks continued for a long time and were directed mainly against government organizations in the United States, Canada and a number of other countries.
The CVE-2023-2868 vulnerability allows remote code execution on the victim's device. The existence of the gap became known only in May of this year, when real attacks using this vulnerability date back to the previous year.
Barracuda released a fix patch on May 20th, but it was later found to be completely ineffective. In this regard, the company was recently even criticized by representatives of the FBI.
Ultimately, Barracuda came to the conclusion that no software patches would help to reliably protect client networks, and customers needed to physically replace vulnerable devices.
Mandiant experts conducted an in-depth investigation into the activities of UNC4841 hackers and identified two waves of attacks. The first one started back in November 2022, and the second one in May-June 2023, after the release of the ineffective patch. In the second wave, the attackers used the new Skipjack, Depthcharge, and Foxtrot malware to keep their most valuable targets safe.
According to experts, the UNC4841 group acts in the interests of the Chinese special services and is highly professional. More than 15% of the victims are national government organizations, 10% are local authorities.
Companies in the field of high technologies, telecommunications, and education were also attacked. Overall, this is consistent with China's intelligence interests.
Mandiant experts were unable to link UNC4841 to any known Chinese hacker group, although they did find some infrastructure overlaps with another group, UNC2286. But this may simply indicate interactions between various Chinese factions.
Thus, the prolonged cyber incident demonstrated the high level of training and perseverance of Chinese hackers. Despite countermeasures, they managed to maintain access to valuable systems and continue their espionage activities.
Mandiant experts believe that the UNC4841 hackers will continue their malicious operation in the future, but using updated tools and techniques. Affected organizations should conduct thorough security investigations of their networks and prepare well for the next possible wave of attacks.
