China-affiliated group targets government agencies via Baraccuda vulnerability

Across North America, “a large number of state, local, county, tribal, city and town offices were targeted by this campaign,” Mandiant researchers said.

attack, First revealed by Barracuda in late Mayexploited a critical vulnerability in Barracuda’s Email Security Gateway (ESG) on-premises appliance. Further investigation by the company and Mandiant revealed that the vulnerability had been exploited as far back as October 2022.

Nearly a third of the organizations affected by the ESG attacks were government agencies, said Mandiant researchers hired by Barracuda to investigate the incident. Mandiant is owned by Google Cloud.

Mandiant said the attack was carried out by a group it tracks as UNC4841, which is believed to be supporting the Chinese government.

Victims “also included U.S. and foreign government agencies,” the researchers said in their paper. postHowever, it did not identify a specific US government agency affected.

“Government agencies around the world appear to be unfairly targeted,” they wrote.

Across North America, “there were numerous state, local, county, tribal, city and town offices targeted by this campaign,” Mandiant researchers said. “These organizations included city hall, law enforcement, various levels of judiciary, social services offices, and several incorporated towns.”

Local governments make up less than 7% of all affected organizations, but “compared to US-based targeting alone, this statistic increases to nearly 17%,” the researchers wrote. “In some cases, he had less than 10,000 people in the targeted organizations.”

Barracuda’s Email Security Gateway is a product used by on-premises customers to filter all email traffic, both inbound and outbound. This appliance is cloud-connected and is commonly used to protect Microsoft Exchange environments.

“Mandiant and Barracuda have not identified any newly compromised ESG appliances since the May 20, 2023 release of the security patch that fixed the zero-day ESG vulnerability (CVE-2023-2868),” said Barracuda. said in a statement.

“Mandiant believes that a limited number of previously affected victims may face risks associated with this even if they do not follow Barracuda’s guidance to replace their affected equipment. I appreciate that there is.”

Barracuda added that it “continues to recommend affected customers to replace compromised appliances.”

“Only a limited number of ESG appliances have been compromised worldwide, and affected customers have been notified to replace their appliances,” the company said. Said they were offering it for free.

This article was first published on CRN.