Barracuda thought it drove 0-day hackers out of customers’ networks. It was wrong.

By | August 30, 2023
A motherboard has been photoshopped to include a Chinese flag.

In late May, researchers drove out a team of China state hackers who over the previous seven months had exploited a critical vulnerability that gave them backdoors into the networks of a who’s who of sensitive organizations. Barracuda, the security vendor whose Email Security Gateway was being exploited, had deployed a patch starting on May 18, and a few days later, a script was designed to eradicate the hackers, who in some cases had enjoyed backdoor access since the previous October.

But the attackers had other plans. Unbeknownst to Barracuda and researchers at the Mandiant security firm Barracuda brought in to remediate, the hackers commenced major countermoves in the days following Barracuda’s disclosure of the vulnerability on May 20. The hackers tweaked the malware infecting their valued targets to make it more resilient to the Barracuda script. A few days later, the hackers unleashed DepthCharge, a never-before-seen piece of malware they already had on hand, presumably because they had anticipated the takedown Barracuda was attempting.

Preparing for the unexpected

Knowing their most valued victims would install the Barracuda fixes within a matter of days, the hackers, tracked as UNC4841, swept in and mobilized DepthCharge to ensure that newly deployed appliances replacing old, infected ones would reinfect themselves. The well-orchestrated counterattacks speak to the financial resources of the hackers, not to mention their skill and the effectiveness of their TTPs, short for tactics, techniques, and procedures.

“This capability and its deployment suggests that UNC4841 anticipated and was prepared for remediation efforts with tooling and TTPs designed to enable them to persist on high value targets,” Mandiant researchers Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, and Michael Raggi wrote in a post Tuesday. “It also suggests that despite this operation’s global coverage, it was not opportunistic and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks.”

The researchers said that at the time they wrote their report, a “limited number of previously impacted victims remain at risk due to this campaign. UNC4841 has shown an interest in a subset of priority victims—it is on these victim’s appliances that additional malware, such as the backdoor DEPTHCHARGE, was deployed to maintain persistence in response to remediation efforts.”

Sometime in October, UNC4841 started exploiting an unusually powerful vulnerability tracked as CVE-2023-2868, which was present in all Barracuda Email Security Gateway appliances sold in years. A flaw in the way gateway appliances parsed logic while processing TAR files provided hackers the all-powerful ability to remotely inject commands directly into the device flow. Better yet, the injection was easy to trigger. By attaching a specially crafted file to an email and sending it to addresses behind the perimeter of a vulnerable ESG device, UNC4841 had a persistent backdoor on hundreds of high-value networks.

Injecting shellcode, courtesy of $f

More technically speaking, the bug resided in the way appliances carried out the qx{} routine in the Perl programming language. It effectively allowed malicious attachments to inject shellcode that the email passed directly into the appliance OS using the user-controlled variable $f. The following ESG code is at the vulnerability epicenter: qx{$tarexec -O -xf $tempdir/parts/$part '$f'};

As the researchers noted earlier, the campaign was already narrowly focused on the most select of targets. According to Mandiant, only about 5 percent of security gateway appliances in existence had been infected. Assuming an estimate from security firm Rapid7 of roughly 11,000 devices (a number Rapid7 said might be inflated) that equates to somewhere from 400 to 500.

Besides DepthCharge, UNC4841 deployed two other pieces of malware in the second wave of their counterattack. One is tracked as SkipJack and the other as FoxTrot or FoxGlove. SkipJack was the most widely deployed of the three. It was a fairly typical backdoor that worked by injecting malicious code into legitimate Barracuda appliance modules. SkipJack was installed on 5.8 percent of infected gateway appliances. Assuming the total number of infected devices was 500 (5 percent of 10,000 devices), the number of those infected devices updated with SkipJack would have been 29. Victims in this group comprised organizations in various levels of government, the military, defense and aerospace, high technology, and telecommunications.