Mandiant Says China-backed Hackers Exploited Barracuda Zero-Day To Spy on Governments

Security researchers at Mandiant say China-backed hackers are likely behind the mass-exploitation of a recently discovered security flaw in Barracuda Networks' email security gear, which prompted a warning to customers to remove and replace affected devices. From a report: Mandiant, which was called in to run Barracuda's incident response, said the hackers exploited the flaw to compromise hundreds of organizations likely as part of an espionage campaign in support of the Chinese government. Almost a third of the targeted organizations are government agencies, Mandiant said in a report published Thursday.

Last month, Barracuda discovered the security flaw affecting its Email Security Gateway (ESG) appliances, which sit on a company's network and filter email traffic for malicious content. Barracuda issued patches and warned that hackers had been exploiting the flaw since October 2022. But the company later recommended customers remove and replace affected ESG appliances, regardless of patch level, suggesting the patches failed or were unable to block the hacker's access. In its latest guidance, Mandiant also warned customers to replace affected gear after finding evidence that the China-backed hackers gained deeper access to networks of affected organizations.

Re:

[gweihir]

On a "we think" attribution? What should he do? Maybe kick the cretins at Barracuda really hard? But how would he do that? Corporate America has made sure they are very hard to made liable for their screw-ups. They got just as much support for that from the proto-fascist Republicans as they got from the right-wing Democrats.

Re:

[Virtucon]

There is zero reason encrypted traffic should be allowed over international boarders without its ownership registered, an approved by the state department.

Next, it will be "We need back doors into encryption so we can find and prosecute those who traffick in child porn"

Re: and Bejing Biden will do

[ArmoredDragon]

There is zero reason encrypted traffic should be allowed over international boarders without its ownership registered, an approved by the state department.

Not only no, but hell fucking no. Furthermore, this won't even accomplish what you're wanting out of it; DPI isn't some panacea that lets you inspect and understand the contents of all traffic, even if it's all plaintext.

Re:

[gweihir]

Indeed. DPI cannot even do real pattern matching as that is too slow. At best you can do advanced stuff for a very small selection of the traffic. "Advanced stuff" here includes determining whether something is encrypted in the first place and that is not reliable.

Re: and Bejing Biden will do

[chill]

How old are you? Are you old enough to remember the t-shirts with the RSA source code printed on them [wikipedia.org]? What about PGP in book form or maybe PGPi?

What you describing was actually impossible to maintain and does significantly more damage to an economy than is worth, which the US government figured out back in the late 1990s.

Re:

[youngone]

Read a few of his comments. I have no idea how old he is, but he does live in a weird fantasy world.

Re:

[gweihir]

Yep, noticed that as well. Not so weird actually, just a typical authoritarian (which he clearly is) fantasy construct where there is an easy way for everything to get it under control. Usually involves some kind of simplistic brute force approaches that will not work and cannot work, but hey, authoritarians believe the best world is one where some great "Fuehrer" makes all the important decisions and they get forced on everybody.

Re:

[DarkOx]

Ohh "I disagree so I am going to resort to name calling"

Let me guess you spend your weekends harassing decent folks with one those antifa flags, pretending you are not the actually bully.

Re:

[gweihir]

You wish. Trying to rationalize your abject failure that way does not make it go away.

Re:

[youngone]

That's hilarious. Those people seem to have no self awareness at all.

Re:

[gweihir]

Only if you are stupid and have no clue how the technology actually works. DPI at line speeds cannot even determine whether something is encrypted. All it can do is simplistic pattern matching and select some (few) packets for closer inspection. As probably most internet traffic is encrypted in some form these days, most of the rest compressed in some form, I doubt DPI is even still being done in any meaningful amount in the Internet backbones. There are also approaches like "Chaffing and winnowing" (https:

Re:

[MobileTatsu-NJG]

and Bejing Biden will do NOTHING

Oh look, another sufferer of BDS. If you end up in Urgent Care, make sure to get your irony levels checked.

Re:

[znrt]

beijing biden?

dude.

i fucking hate that guy, i think he is the puppet/enabler of very serious war criminals. but ... beijing??? you are so way off the mark, man ...

Re:

[znrt]

but ... beijing??? you are so way off the mark, man ...

this is me looking for a promotion from russian troll to chinese troll badge on slashdot wink wink nudge nudge.

if u know what i mean, baby.

ok, double nudge.

Re:

[znrt]

i mean double nudge nudge.

They do not know

[gweihir]

They just suspect. Because nobody can actually do reliable attribution.

Re:

[Virtucon]

I think they know how bad it is. Barracuda recommending that customers replace their hardware isn't a trivial admission that there's something fatally flawed with the hardware or software.

Re:

[gweihir]

Well, on that side yes. Barracuda must have messed up the design of their "security" device in some pretty spectacularly stupid fashion. But they still cannot reliably know who is behind this. They can only suspect.

Re:

[laughingskeptic]

Chinese exfils can have a very distinct signature when moving a lot of data. They claim to have observed evidence of exfils and this could make it very clear that it is China. If the only org that could have "caught" the data in transit is China, then its definitely China.

Re:

[Anonymous Coward]

Surely this "very distinct signature" can easily be emulated.

Re:

[gweihir]

Nope. That is what the political fear-mongers and their helper want you to believe.

As for your 1st bogus claim, a "very distinct signature" is a) something China can identify as well and then avoid and b) something somebody else can nicely simulated to create a false trail. The whole idea of some specific fingerprint of a specific attacker (!) that stays persistent in network attack traffic but cannot easily be faked is just complete nonsense and fundamentally disconnected from reality. You can get such tr

Re:

[AmiMoJo]

So what you are saying is that the signature of Chinese exfils is well known, and thus easy for others to reproduce if they want to divert blame away from themselves.

This isn't just about China. I take any claims that any particular country was responsible for any bit of hacking with a bucket of salt, because all of them are trying to shift the blame away and the techniques that these security researchers use to determine origin are often pretty rudimentary. Stuff like looking for strings in the binary to s

What are the options?

[Baron_Yam]

Either they were embarrassingly incompetent at the spying every country with the capability engages in, or they were deliberately destructive, which should result in retaliation.

Screw China... after I get my latest toy delivered from AliExpress.

Who is still using Barracuda?

[Midnight_Falcon]

They were all the rage in IT in 2007...along with self hosted exchange and Windows SBS. iT started moving to cloud services like MXLogic and Proofpoint, or Microsoft native O365 shortly thereafter. Now, most email is cloud hosted, or at least the spam gateway is... and Barracuda is a very legacy product. Maybe the real issue is legacy products being used by IT folks who learned 15 years ago and don't want to modernize?

Re:

[awwshit]

When you once met the compliance requirements and have no budget....

Re:

[Midnight_Falcon]

I'm not so sure about the budget bit, as these self-hosted Barracudas are on licensing and pay-per-use models that come with costly ongoing renewals. Then factor in datacenter maintenance etc...makes little sense unless the IT team really wants faux "job security" by creating dependence on their maintenance actions. Heck, even Barracuda has moved to trying to sell you protection for native O365 hosted exchange.

Barracuda is a zero effort company

[CEC-P]

We got one of their overpriced backup appliances a while back where I used to work and it came with a WD Blue drive. Yeah, not NAS or surveillance grade. Off the shelf blue drive. It had a complete hard drive failure after about 2 weeks and they had to replace it.
I can image how crap their firmware/software code security is if their hardware standards and effort to pad during packaging are any indication.

that's totally not so fair

[znrt]

only us-backed hackers can use 0-day exploits! for democracy!

Here's the fun....

[beheaderaswp]

Want to have a little fun?

Barracuda is insisting on "unmonitored" remote access to their devices in order to get a replacement unit. This is compounded by the fact they removed SSH access to their units some time ago.

In other words- they don't want their customers to see what they are doing because it's "proprietary". And a good amount of their infrastructure is open source. What?

Now think about governments.

I'm adjacent to companies that have experienced this- I'm advising them to run... right fucking now.....