UNC4841, a Chinese state threat actor, has returned to targeting high-profile Barracuda customers. Last year, they exploited a remote code execution vulnerability in Barracuda Networks’ Email Security Gateway (ESG) appliances, and now they have exploited a newly disclosed zero-day vulnerability. Barracuda released an update to address the vulnerability but UNC4841 had already used it to deliver new variants of its malware to a limited number of devices. The vulnerability is an arbitrary code execution flaw in the open-source Amavis virus scanner, which runs on ESG appliances. Mandiant, a cybersecurity company, confirmed that the campaign was part of UNC4841’s ongoing espionage operations and Barracuda responded promptly by deploying updates to address the vulnerability. The vulnerability can be easily exploited through a specially crafted Excel attachment in an email, without any input required from the user. While Barracuda customers do not need to take further action since the update was deployed automatically, UNC4841’s interest in Barracuda Networks’ products dates back over a year, and it is advised that customers continue to monitor for any signs of UNC4841’s presence in their networks. UNC4841 is considered to be a “well-resourced” operation targeting high-value organizations such as government bodies, high-tech companies, telcos, manufacturing, and educational institutions. It is likely that UNC4841 will continue to modify its tactics and seek out new vulnerabilities in edge appliances in the future.
Menu
