Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
How a Chinese group infiltrated Barracuda email gateways and hacked dozens of organizations.
Mandiant confidently confirmed that Chinese hackers from the UNC4841 group actively exploited the zero-day vulnerability CVE-2023-2868 in Barracuda's Email Security Gateway (ESG) products. The attacks continued for a long time and were mainly directed against government organizations in the United States, Canada and a number of other countries.
Vulnerability CVE-2023-2868 allows remote code execution on the victim's device. The existence of the breach became known only in May of this year, when real attacks using this vulnerability date back to last year .
Barracuda released a patch patch on May 20, but later it turned out that it was completely ineffective. In this regard, the company has recently even been criticized by representatives of the FBI.
In the end, Barracuda came to the conclusion that no software patches will help to reliably protect client networks, and customers need to physically replace vulnerable devices .
Mandiant experts conducted an in-depth investigation of the UNC4841 hackers ' activities and identified two waves of attacks. The first one started in November 2022, and the second-in May-June 2023, after the release of an ineffective patch. In the second wave, attackers used the new malware programs Skipjack, Depthcharge, and Foxtrot to preserve access to the most valuable targets.
According to experts, the UNC4841 group acts in the interests of the Chinese special services and is highly professional. More than 15% of victims are national government organizations, and 10% are local authorities.
Companies in the field of high technologies, telecommunications, and education were also attacked. Overall, this is consistent with China's intelligence interests.
Mandiant experts were unable to link UNC4841 to any known Chinese hacker group, although they found some intersections in the infrastructure with another group — UNC2286. But this may simply indicate an interaction between various Chinese groups.
Thus, the prolonged cyber incident demonstrated the high level of training and perseverance of Chinese hackers. Despite attempts at counteraction, they managed to retain access to valuable systems and continue their espionage activities.
Mandiant experts believe that UNC4841 hackers will continue their malicious operation in the future, but already using updated tools and methods. Affected organizations should conduct thorough security investigations of their networks and prepare well for the next possible wave of attacks.
Mandiant confidently confirmed that Chinese hackers from the UNC4841 group actively exploited the zero-day vulnerability CVE-2023-2868 in Barracuda's Email Security Gateway (ESG) products. The attacks continued for a long time and were mainly directed against government organizations in the United States, Canada and a number of other countries.
Vulnerability CVE-2023-2868 allows remote code execution on the victim's device. The existence of the breach became known only in May of this year, when real attacks using this vulnerability date back to last year .
Barracuda released a patch patch on May 20, but later it turned out that it was completely ineffective. In this regard, the company has recently even been criticized by representatives of the FBI.
In the end, Barracuda came to the conclusion that no software patches will help to reliably protect client networks, and customers need to physically replace vulnerable devices .
Mandiant experts conducted an in-depth investigation of the UNC4841 hackers ' activities and identified two waves of attacks. The first one started in November 2022, and the second-in May-June 2023, after the release of an ineffective patch. In the second wave, attackers used the new malware programs Skipjack, Depthcharge, and Foxtrot to preserve access to the most valuable targets.
According to experts, the UNC4841 group acts in the interests of the Chinese special services and is highly professional. More than 15% of victims are national government organizations, and 10% are local authorities.
Companies in the field of high technologies, telecommunications, and education were also attacked. Overall, this is consistent with China's intelligence interests.
Mandiant experts were unable to link UNC4841 to any known Chinese hacker group, although they found some intersections in the infrastructure with another group — UNC2286. But this may simply indicate an interaction between various Chinese groups.
Thus, the prolonged cyber incident demonstrated the high level of training and perseverance of Chinese hackers. Despite attempts at counteraction, they managed to retain access to valuable systems and continue their espionage activities.
Mandiant experts believe that UNC4841 hackers will continue their malicious operation in the future, but already using updated tools and methods. Affected organizations should conduct thorough security investigations of their networks and prepare well for the next possible wave of attacks.
