Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Mandiant Says China-backed Hackers Exploited Barracuda Zero-Day To Spy on Governments (techcrunch.com) 34

Security researchers at Mandiant say China-backed hackers are likely behind the mass-exploitation of a recently discovered security flaw in Barracuda Networks' email security gear, which prompted a warning to customers to remove and replace affected devices. From a report: Mandiant, which was called in to run Barracuda's incident response, said the hackers exploited the flaw to compromise hundreds of organizations likely as part of an espionage campaign in support of the Chinese government. Almost a third of the targeted organizations are government agencies, Mandiant said in a report published Thursday.

Last month, Barracuda discovered the security flaw affecting its Email Security Gateway (ESG) appliances, which sit on a company's network and filter email traffic for malicious content. Barracuda issued patches and warned that hackers had been exploiting the flaw since October 2022. But the company later recommended customers remove and replace affected ESG appliances, regardless of patch level, suggesting the patches failed or were unable to block the hacker's access. In its latest guidance, Mandiant also warned customers to replace affected gear after finding evidence that the China-backed hackers gained deeper access to networks of affected organizations.

This discussion has been archived. No new comments can be posted.

Mandiant Says China-backed Hackers Exploited Barracuda Zero-Day To Spy on Governments

Comments Filter:
  • They do not know (Score:5, Informative)

    by gweihir ( 88907 ) on Thursday June 15, 2023 @02:19PM (#63605902)

    They just suspect. Because nobody can actually do reliable attribution.

    • I think they know how bad it is. Barracuda recommending that customers replace their hardware isn't a trivial admission that there's something fatally flawed with the hardware or software.

      • by gweihir ( 88907 )

        Well, on that side yes. Barracuda must have messed up the design of their "security" device in some pretty spectacularly stupid fashion. But they still cannot reliably know who is behind this. They can only suspect.

    • Chinese exfils can have a very distinct signature when moving a lot of data. They claim to have observed evidence of exfils and this could make it very clear that it is China. If the only org that could have "caught" the data in transit is China, then its definitely China.
      • by Anonymous Coward

        Surely this "very distinct signature" can easily be emulated.

      • by gweihir ( 88907 )

        Nope. That is what the political fear-mongers and their helper want you to believe.

        As for your 1st bogus claim, a "very distinct signature" is a) something China can identify as well and then avoid and b) something somebody else can nicely simulated to create a false trail. The whole idea of some specific fingerprint of a specific attacker (!) that stays persistent in network attack traffic but cannot easily be faked is just complete nonsense and fundamentally disconnected from reality. You can get such tr

      • by AmiMoJo ( 196126 )

        So what you are saying is that the signature of Chinese exfils is well known, and thus easy for others to reproduce if they want to divert blame away from themselves.

        This isn't just about China. I take any claims that any particular country was responsible for any bit of hacking with a bucket of salt, because all of them are trying to shift the blame away and the techniques that these security researchers use to determine origin are often pretty rudimentary. Stuff like looking for strings in the binary to s

  • Either they were embarrassingly incompetent at the spying every country with the capability engages in, or they were deliberately destructive, which should result in retaliation.

    Screw China... after I get my latest toy delivered from AliExpress.

  • They were all the rage in IT in 2007...along with self hosted exchange and Windows SBS. iT started moving to cloud services like MXLogic and Proofpoint, or Microsoft native O365 shortly thereafter. Now, most email is cloud hosted, or at least the spam gateway is... and Barracuda is a very legacy product. Maybe the real issue is legacy products being used by IT folks who learned 15 years ago and don't want to modernize?
    • When you once met the compliance requirements and have no budget....

      • I'm not so sure about the budget bit, as these self-hosted Barracudas are on licensing and pay-per-use models that come with costly ongoing renewals. Then factor in datacenter maintenance etc...makes little sense unless the IT team really wants faux "job security" by creating dependence on their maintenance actions. Heck, even Barracuda has moved to trying to sell you protection for native O365 hosted exchange.
  • by CEC-P ( 10248912 ) on Thursday June 15, 2023 @03:32PM (#63606102)
    We got one of their overpriced backup appliances a while back where I used to work and it came with a WD Blue drive. Yeah, not NAS or surveillance grade. Off the shelf blue drive. It had a complete hard drive failure after about 2 weeks and they had to replace it.
    I can image how crap their firmware/software code security is if their hardware standards and effort to pad during packaging are any indication.
  • only us-backed hackers can use 0-day exploits! for democracy!

  • Here's the fun.... (Score:4, Interesting)

    by beheaderaswp ( 549877 ) * on Thursday June 15, 2023 @05:43PM (#63606346)

    Want to have a little fun?

    Barracuda is insisting on "unmonitored" remote access to their devices in order to get a replacement unit. This is compounded by the fact they removed SSH access to their units some time ago.

    In other words- they don't want their customers to see what they are doing because it's "proprietary". And a good amount of their infrastructure is open source. What?

    Now think about governments.

    I'm adjacent to companies that have experienced this- I'm advising them to run... right fucking now.....

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...