Insights, news, education and announcements from PolySwarm

UNC4841 Targeting Government Entities with Barracuda ESG 0day

Written by The Hivemind | Sep 4, 2023 5:24:05 PM

Related Families: SKIPJACK, DEPTHCHARGE, FOXTROT,  FOXGLOVE
Verticals Targeted: Government, Military, Defense, Aerospace, Technology, Telecommunications

Executive Summary

UNC4841 was observed using CVE-2023-2868 to target entities in multiple verticals, including government and military.

Key Takeaways

  • UNC4841 was observed using CVE-2023-2868 to target entities in multiple verticals, including government and military.
  • The threat actors used the Barracuda ESG 0day (CVE-2023-2868) in this espionage campaign.
  • Additional malware deployed on target systems included SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE.
  • A small number of previously impacted victims may continue to be at risk.

The Campaign

Mandiant recently reported on UNC4841 activity targeting government, military, defense, aerospace, technology, and telecommunications entities. While the campaign affected targets worldwide, the highest number of targets were located in North America. Over one-quarter of the targets were government entities.

The threat actors used the Barracuda ESG 0day (CVE-2023-2868) in this campaign, which began as early as October 2022 and continued until at least June of this year. Once the targets were compromised, UNC4841 used their access to deploy malware and conduct post-exploitation activities. The threat actors managed to maintain persistence on target networks even after the entities thought the threat had been remediated.

Additional malware deployed on target systems included SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE. SKIPJACK is a passive implant that registers a listener to monitor incoming email. It masquerades as a legitimate Barracuda ESG module. DEPTHCHARGE, also known as SUBMARINE, is a passive backdoor that retrieves encrypted commands to execute and allows threat actors to maintain persistence. FOXTROT is a C++ implant launched using FOXGLOVE, a C-based program. FOXTROT communicates via TCP and is capable of capturing keystrokes, running shell commands, transferring files, and setting up a reverse shell. It appears to share similarities with Reptile, an open-source rootkit.

Mandiant stated a small number of previously impacted victims may continue to be at risk.

What is CVE-2023-2868?

CVE-2023-2868 is a remote command injection vulnerability in the Barracuda Email Security Gateway. It exists due to a failure to sanitize processing of a .tar file, as there is incomplete input validation of the user-supplied .tar file as it relates to the names of files within the archive. This allows a threat actor to specifically format file names to facilitate remote execution of a system command with the privileges of the Email Security Gateway product. Barracuda disclosed the vulnerability on May 30, 2023.

Who is UNC4841?

UNC4841 is an espionage-focused China nexus threat actor group. Their activity appears to overlap with other Chinese threat actor groups, including UNC2286 and UNC3886. UNC4841 appears to be a sophisticated threat actor and has demonstrated the ability to adapt to defensive efforts to maintain a foothold in the victim’s environment.

IOCs

PolySwarm has multiple samples associated with this campaign.

 

caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc 

1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4

3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115

9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf

83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c

 

You can use the following CLI command to search for all UNC4841 samples in our portal:

$ polyswarm link list -t UNC4841

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog Subscribe to our reports