![]() ![]() "In the set of entities selected for focused data exfiltration, shell scripts were uncovered that targeted email domains and users from ASEAN Ministry of Foreign Affairs (MFAs), as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong," according to Mandiant. ![]() Specifically, the spies stole messages belonging to high-profile academics in Taiwan and Hong Kong, and Asian and European government officials in Southeast Asia, we're told. Academics, govt officials 'aggressively targeted'Īfter compromising the products, UNC4841 also used its access to the ESG devices to send mail to other appliances, move laterally in the victims' networks for further reconnaissance, and "aggressively target" specific data for exfiltration. "All three code families attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware families detailed for the first time in this blog post," Mandiant said. The emails contained malicious file attachments designed to exploit CVE-2023-2868 and grant access to vulnerable appliances, and after breaking in to the buggy boxes, the spies used three pieces of malware – dubbed Saltwater, Seaspy, and Seaside – to backdoor the appliances, maintain a persistent presence, upload files, and steal data. "Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past," the analysts said. Instead they used generic subject and message content, poor grammar and placeholder values to make the email look like spam, get flagged by filters and sent straight to the junk folder, and then - hopefully - avoid a full investigation by security analysts. ![]() However, the spies didn't want the victims to open the email. Mandiant, which described UNC4841 as an "aggressive and skilled" crew, said the intrusion started with emails sent to victim organizations. "Collaboration and transparency are important as the industry works together to defend against increasingly sophisticated and aggressive threat actors." Intrusions started with overly spammy emails Barracuda believes that transparency is in the best interest of its customers, partners, and the greater security community," the statement read. "Barracuda is committed to providing transparency around the incident, as well as the information on actions taken to protect customers. In an emailed statement to The Register, Barracuda confirmed Mandiant's assessment of the threat actor behind the attacks, and said as of June 10, about five percent of ESG appliances have shown evidence of an infection. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |