Security News > 2023 > June > Barracuda ESG zero-day attacks linked to suspected Chinese hackers

A suspected pro-China hacker group tracked by Mandiant as UNC4841 has been linked to data-theft attacks on Barracuda ESG appliances using a now-patched zero-day vulnerability.
"Due to the sophistication displayed by UNC4841 and lack of full visibility into all compromised appliances, Barracuda has elected to replace and not reimage the appliance from the recovery partition out of an abundance of caution," John Palmisano, Mandiant Incident Response Manager - Google Cloud, told BleepingComputer.
Once the threat actors gained remote access to the Barracuda ESG device, they infected it with malware families known as 'Saltwater,' 'Seaspy,' and 'Seaside' to steal email data from the devices.
UNC4841 targeted specific data for exfiltration and occasionally leveraged access to an ESG appliance to navigate the victim's network or send mail to other victim appliances.
Saltwater is a backdoored Barracuda SMTP daemon module that can upload or download files, execute arbitrary commands, or offer the threat actors proxying capabilities.
The recommended action is to replace compromised Barracuda ESG appliances regardless of their patch level and perform thorough investigations on the network using the published indicators of compromise.
News URL
Related news
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- Broadcom fixes three VMware zero-days exploited in attacks (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)