Researchers at Google LLC-owned cybersecurity firm Mandiant today warned that alleged Chinese attackers have and are continuing to target a zero-day vulnerability in Barracuda Networks Inc. devices successfully.

The vulnerability in Barracuda’s Email Security Gateway, tracked as CVE-2023-2868, was patched in May. After the release of the patch, Mandiant and Barracuda did not identify evidence that any malicious actors were still actively exploiting the vulnerability, though a small number of ESG appliances were affected before the patch was released.

A month later, evidence emerged that the vulnerability was still being targeted, with Barracuda advising customers to replace vulnerable email security applications regardless of their patch status in order to address the attacks. “If you have not replaced your appliance after receiving notice in your UI, contact support now,” the company wrote in an advisory. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

Mandiant first linked the attacks to alleged Chinese state-sponsored attackers in June, saying at the time that the hackers had altered their malware soon after Barracuda had released the patch in May. The hackers were also said to have deployed additional “persistence mechanisms” designed to maintain their access to victims’ networks.

The new report today details how the alleged Chinese hackers primarily targeted and breached government and government-linked organizations worldwide, including in North America. Almost a third of appliances that were hacked were found to belong to government agencies, with the peak of attacks occurring between October and December of last year.

“Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city and town offices that were targeted in this campaign,” the Mandiant researchers stated. “While overall local government targeting comprises just under 7% of all identified affected organizations, this statistic increases to nearly 17% when compared to U.S.-based targeting alone.”

Researchers said the targeting of governments and agencies indicates that the primary purpose of the hacking group, called UNC4841 by Mandiant, was, unsurprisingly, espionage. Other targets by the hacking group also included companies and organizations in the military, defense, aerospace, high-tech and telecommunications sectors.

“Espionage continues to be a significant focus for many threat actors, especially those that are nation-state sanctioned,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “In this case, a more disturbing part is that even devices that were patched remained vulnerable and were still being compromised.”

Kron added that the ability to drop malware, especially remote-access trojan viruses — which allow the bad actors to maintain persistence even after the initial entry point is fixed — should be “especially worrying for organizations impacted by this or using these appliances. Trying to find and remediate potential back doors scattered across systems can be a very challenging issue for organizations.”

Photo: Barracuda Networks