The Australian Capital Territory government is one of the victims of a vulnerability found in Barracuda\u2019s email security gateway (ESG). In a press conference on 8 June, ACT government chief digital officer Bettina Konti said there is a likelihood that some personal information is involved but the harms assessment needs to completed for that to be clear.\n\nBarracuda had first identified the CVE-2023-2838 vulnerability on 19 May issuing a patch worldwide on 20 May followed by a second patch on 21 May. A few days later, on 30 May, the vendor revealed the earliest identified evidence of exploitation took place in October 2022.\n\nTwo days before the ACT government had revealed to be responding to a security breach, Barracuda posted a warning that impacted appliances must be replaced immediately. The vulnerability existed in a module which initially screens the attachments of incoming emails.\n\nACT government response to security breach\n\nOnce the territory government detected the vulnerability the ACT Cyber Security Centre immediately completed a rebuild of the impacted Barracuda system to eliminate any ongoing vulnerability, the ACT government revealed in a statement. \u201cThe investigation has now identified that a breach has occurred and a harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed.\u201d\n\nThe territory government is confident that actions taken to date have contained the breach and that there is no ongoing threat, and instructed citizens can continue to use ACT Government online systems with confidence.\n\nThe ACT government is working with the Australian Cyber Security Centre and Barracuda Networks on the ongoing investigation.\n\nFollowing the initial harms assessment, the ACT government said on 22 June the investigation will now be undertaken in a phased way to allow a thorough analysis and the appropriate prioritisation of next steps. With Phase one complete, phase two currently underway is assessing each individual system and the scope of information that may have been exposed. Phase two will count on external support.\n\nPhase three will outline the recommended risk-based actions that the community could take following completion of Phase 2, which is expected to take several weeks.\n\nMandiant suspects China-nexus actors connected to ACT security breach\n\nFollowing initial investigations by Mandiant, which was engaged by Barracuda to assist the investigation, a suspected China-nexus actor was identified, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning several regions and sectors, the company said on 15 June.\n\nFrom 10 October 2022, UNC4841 sent emails to victim organizations that contained malicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG appliances, Mandiant said. \u201cOver the course of their campaign, UNC4841 has primarily relied upon three principal code families to establish and maintain a presence on an ESG appliance, following the successful exploitation of CVE-2023-2868. These code families\u2014SALTWATER, SEASPY, and SEASIDE\u2014were identified in the majority of UNC4841 intrusions.\u201d\n\nThe three code families attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware.\n\nMandiant also found evidence of data staging and exfiltration of email related data in a subset of impacted ESG appliances.\n\nOf the affected organizations, 55% were in the Americas, 24% in EMEA and 22% in APAC. Mandiant found the close to a third of these organizations were government agencies.\n\nMandiant recommends further investigation and hunting within impacted networks, as the identified threat actor has demonstrated a commitment to maintaining persistence for continued operations and has shown an ability to move laterally from the ESG appliance. \n\nFurther recommendations include:\n\nAlso on 15 June, the ACT government published an update on the investigations which contained none of this information. The ACTYY government is still investigating the possible breach but says all services remain safe to be used and that the rebuilt systems show no signs of any vulnerabilities.\n\nWeekly updates are expected to be shared in a page dedicated to the incident.\n\nEditor\u2019s note: The story has been updated on 26 June to include updates about the ACT government phased approach to investigating the incident. The story had been updated on 19 June with an update from Barracuda and the possible China-nexus connection.