Researchers at Mandiant disclosed further details Tuesday on the China-linked cyberattack campaign that exploited Barracuda’s Email Security Gateway, saying that government agencies were “disproportionately” targeted, with a particular focus on the U.S.
The attacks, initially disclosed by Barracuda in late May, leveraged a critical vulnerability in Barracuda’s Email Security Gateway (ESG) on-premises appliances. Further investigation from the company and Mandiant found that the vulnerability had been exploited as far back as October 2022.
Nearly one-third of the impacted organizations in the ESG attacks were government agencies, said researchers at Mandiant, which was hired by Barracuda to investigate the incident. Mandiant is owned by Google Cloud.
Mandiant has attributed the attacks to a group it tracks as UNC4841, which is believed to work in support of China’s government.
Victims “included U.S. and foreign government entities,” the researchers said in a post, although they did not identify specific U.S. agencies that were impacted.
“Government agencies worldwide appear to have been disproportionately targeted,” they wrote.
In North America overall, “there were numerous state, provincial, county, tribal, city and town offices that were targeted in this campaign,” Mandiant researchers said. “These organizations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns.”
While local governments comprised less than 7 percent of impacted organizations overall, “this statistic increases to nearly 17 percent when compared to U.S.-based targeting alone,” the researchers wrote. “In some instances, targeted entities had populations below 10,000 individuals.”
Barracuda’s Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.
“Mandiant and Barracuda have not identified any newly compromised ESG appliances post release of a security patch on May 20, 2023, which remediated the zero day ESG vulnerability (CVE-2023-2868),” Barracuda said in a statement provided to CRN. “Mandiant assesses a limited number of previously impacted victims that have not followed Barracuda’s guidance to replace their impacted appliances may still face risk associated with this.”
Barracuda added that it “continues to recommend that impacted customers replace their compromised appliance.”
“Only a limited number of ESG appliances worldwide were compromised and impacted customers have been notified to replace the appliances,” the company said, noting that it’s providing the replacement devices for free to impacted customers.