Chinese State-Sponsored Hackers Exploit Vulnerability in Barracuda ESG Devices

Mandiant was put in charge of investigating the CVE-2023-2868 vulnerability, which was first found in Email Security Gateway (ESG) devices from Barracuda Networks on May 19, 2023. The vulnerability allows a remote command injection attack, and hackers have been exploiting it since October 2022 to steal sensitive information.

Espionage by China

Research by Mandiant indicates that the stolen information is being passed on to the Chinese government. A high number of government institutions were affected, with one third of the victims being government institutions.
The security researchers base their claim on significant overlap in infrastructure and malware code with other China-backed groups. It is also striking that hackers specifically searched for e-mail accounts in countries with political importance for China.

Barracuda’s Response

The first email containing malware to exploit the vulnerability is dated October 10, 2022. On May 19, 2023, the actions of UNC4841 first appeared on the radar of the Barracuda team. Two days later, the company released a patch to stop the abuse, but the hacker group responded by modifying the malware. The patch was therefore unable to remove the hacker group from affected devices. Barracuda has since asked customers of affected devices to completely replace the equipment.