ACT government falls victim to Barracuda’s ESG vulnerability

The Australian Capital Territory government is one of the victims of a vulnerability found in Barracuda's email security gateway (ESG). In a press conference on 8 June, ACT government chief digital officer Bettina Konti said there is a likelihood that some personal information is involved but the harms assessment needs to completed for that to be clear.

Barracuda had first identified the CVE-2023-2838 vulnerability on 19 May issuing a patch worldwide on 20 May followed by a second patch on 21 May. A few days later, on 30 May, the vendor revealed the earliest identified evidence of exploitation took place in October 2022.

Two days before the ACT government had revealed to be responding to a security breach, Barracuda posted a warning that impacted appliances must be replaced immediately. The vulnerability existed in a module which initially screens the attachments of incoming emails.

ACT government response to security breach

Once the territory government detected the vulnerability the ACT Cyber Security Centre immediately completed a rebuild of the impacted Barracuda system to eliminate any ongoing vulnerability, the ACT government revealed in a statement. "The investigation has now identified that a breach has occurred and a harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed."

The territory government is confident that actions taken to date have contained the breach and that there is no ongoing threat, and instructed citizens can continue to use ACT Government online systems with confidence.

The ACT government is working with the Australian Cyber Security Centre and Barracuda Networks on the ongoing investigation.

Following the initial harms assessment, the ACT government said on 22 June the investigation will now be undertaken in a phased way to allow a thorough analysis and the appropriate prioritisation of next steps. With Phase one complete, phase two currently underway is assessing each individual system and the scope of information that may have been exposed. Phase two will count on external support.

Phase three will outline the recommended risk-based actions that the community could take following completion of Phase 2, which is expected to take several weeks.

Mandiant suspects China-nexus actors connected to ACT security breach

Following initial investigations by Mandiant, which was engaged by Barracuda to assist the investigation, a suspected China-nexus actor was identified, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning several regions and sectors, the company said on 15 June.

From 10 October 2022, UNC4841 sent emails to victim organizations that contained malicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG appliances, Mandiant said. "Over the course of their campaign, UNC4841 has primarily relied upon three principal code families to establish and maintain a presence on an ESG appliance, following the successful exploitation of CVE-2023-2868. These code families--SALTWATER, SEASPY, and SEASIDE--were identified in the majority of UNC4841 intrusions."

The three code families attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware.

Mandiant also found evidence of data staging and exfiltration of email related data in a subset of impacted ESG appliances.

Of the affected organizations, 55% were in the Americas, 24% in EMEA and 22% in APAC. Mandiant found the close to a third of these organizations were government agencies.

Mandiant recommends further investigation and hunting within impacted networks, as the identified threat actor has demonstrated a commitment to maintaining persistence for continued operations and has shown an ability to move laterally from the ESG appliance. 

Further recommendations include:

• Sweep the impacted environment for all IOCs provided by both Mandiant and Barracuda.
• Review email logs to identify the initial point of exposure.
• Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise.
• Revoke and reissue all certificates that were on the ESG at the time of compromise.
• Monitor the entire environment for the use of credentials that were on the ESG at time of compromise.
• Monitor the entire environment for use of certificates that were on the ESG at time of compromise.
• Review network logs for signs of data exfiltration and lateral movement.
• Capture a forensic image of the appliance and conduct a forensic analysis.
  • Physical appliance models can be imaged following standard procedures. Most models have two (2) hot-swappable drives in a RAID1 configuration. 
  • The provided YARA rules can be applied to appliance images to assist forensic investigators. 

Also on 15 June, the ACT government published an update on the investigations which contained none of this information. The ACTYY government is still investigating the possible breach but says all services remain safe to be used and that the rebuilt systems show no signs of any vulnerabilities.

Weekly updates are expected to be shared in a page dedicated to the incident.

Editor's note: The story has been updated on 26 June to include updates about the ACT government phased approach to investigating the incident. The story had been updated on 19 June with an update from Barracuda and the possible China-nexus connection.