The US Cybersecurity and Infrastructure Security Agency (CISA) has published analysis reports on three malware families used in an attack that exploited a recent remote command injection vulnerability (CVE-2023-2868) in Barracuda Email Security Gateway (ESG). The vulnerability was a zero-day and affected versions 5.1.3.001 to 9.2.0.006 of the appliance. A Chinese state-sponsored cyberespionage group, UNC4841, was observed exploiting the flaw to gain access to victim networks and execute a reverse shell, downloading custom backdoors for persistence.

The observed attacks targeted victims in at least 16 different countries, including government officials and high-profile academics. Barracuda released patches for the vulnerability in May 2023. CISA has published malware analysis reports with indicators of compromise (IoCs) and YARA rules for detection.

Read more: https://www.securityweek.com/cisa-analyzes-malware-used-in-barracuda-esg-attacks/