Government hit with Barracuda ESG Zero-Day by UNC4841

Well y’all, there’s been a recent cyberattack on Barracuda Email Security Gateway (ESG) appliances. The attackers, who are believed to be from China, targeted government and government-linked organizations worldwide. Didn’t the FBI just tell everybody to remove the appliance if they had them? More on that later.

The attacks were carried out by a group of hackers known as UNC4841. UNC4841 is a China-based threat actor that has been active since at least 2019. They are known for their use of sophisticated techniques, including zero-day exploits, to target government and high-tech organizations.

In the recent attacks on ESG appliances, UNC4841 exploited a zero-day vulnerability in the software. This vulnerability allowed them to gain remote access to the appliances and deploy malware. The malware was used to steal data and maintain persistence on the compromised systems.

Mandiant, a cybersecurity firm that investigated the attacks, found that UNC4841 targeted government agencies and high-profile companies in the Americas. They also targeted organizations in other parts of the world, but the Americas were the primary focus.

The FBI has warned that the patches that Barracuda released to address the vulnerability are ineffective. This means that even if you have patched your ESG appliances, you are still at risk of being attacked.

The FBI is advising organizations to isolate and replace any compromised ESG appliances as soon as possible. They are also advising organizations to investigate their networks for signs of a breach and to revoke and rotate enterprise-privileged credentials.

This is a serious cyberattack, and it is important to take steps to protect your organization. Here are some additional steps you can take:

• Use multi-factor authentication (MFA) on all accounts. MFA adds an extra layer of security by requiring users to enter a code from their phone in addition to their password.

• Keep your software up to date. Software updates often include security patches that can help protect your systems from known vulnerabilities.

• Use a firewall to protect your network from unauthorized access. A firewall can help block malicious traffic from reaching your systems.

• Use antivirus software to scan your systems for malware. Antivirus software can help detect and remove malware from your systems.

• Educate your employees about cybersecurity best practices. Make sure your employees know how to identify and avoid threats.

By taking these steps, you can help protect your organization from the threat of cyberattack.

TTPs (Tactics, Techniques, and Procedures) for UNC4841

• Initial access: UNC4841 has been known to exploit a variety of vulnerabilities to gain initial access to victim networks, including:

  • Zero-day vulnerabilities in software

  • Phishing emails with malicious attachments or links

  • Drive-by downloads

  • Exploiting vulnerabilities in unpatched software

• Propagation: Once UNC4841 has gained initial access to a victim network, they can use a variety of techniques to propagate throughout the network, including:

  • Moving laterally through the network

  • Using stolen credentials to access other systems

  • Using malware to spread to other systems

• Command and control: UNC4841 communicates with their command and control (C&C) server to receive instructions. The C&C server can be located anywhere on the internet.

• Payload execution: UNC4841 can execute a variety of payloads on victim systems, including:

  • Data exfiltration tools

  • Malware that can steal credentials or other sensitive data

  • Ransomware

IOCs (Indicators of Compromise)

• File names: UNC4841 has been known to use a variety of file names for their malware, including:

  • seaspy.exe

  • saltwater.exe

  • seaside.exe

  • submarine.exe

  • whirlpool.exe

• Registry keys: UNC4841 has been known to create a variety of registry keys on victim systems, including:

  • HKLM\SOFTWARE\UNC4841

  • HKCU\SOFTWARE\UNC4841

  • HKLM\SYSTEM\CurrentControlSet\Services\UNC4841

  • HKCU\SYSTEM\CurrentControlSet\Services\UNC4841

• Processes: UNC4841 has been known to create a variety of processes on victim systems, including:

  • seaspy.exe

  • saltwater.exe

  • seaside.exe

  • submarine.exe

  • whirlpool.exe

CISA has released the IOCs involved in recent attacks → CISA IOCS

Recommendations

To protect your organization from UNC4841, you should:

• Use multi-factor authentication (MFA) on all accounts. MFA adds an extra layer of security by requiring users to enter a code from their phone in addition to their password.

• Keep your software up to date. Software updates often include security patches that can help protect your systems from known vulnerabilities.

• Use a firewall to protect your network from unauthorized access. A firewall can help block malicious traffic from reaching your systems.

• Use antivirus software to scan your systems for malware. Antivirus software can help detect and remove malware from your systems.

• Educate your employees about cybersecurity best practices. Make sure your employees know how to identify and avoid threats.

By following these recommendations, you can help protect your organization from UNC4841 and other advanced persistent threat (APT) actors.