One of the first things of note is that the attack had significant planning time before execution. According to Mandiant and Barracuda only 5% of all ESG appliances worldwide were affected in the attack. This small footprint is an indication of the careful selection process the attackers had. The attackers also appear to have anticipated remediation efforts as they developed specific toolsets in order to retain persistence after the initial entry vector was fixed. The fact that they did not apply these toolsets to all impacted devices, but to a small subset is also a pointer towards the attack group’s sophistication selectivity. This second effort once detected is why the recommendation went from patch now, to replace if compromised. The patch for the original vulnerability (CVE-2023-2868) appears to work as no new compromised devices have been detected.
Mandiant’s report states:
“Mandiant will detail how UNC4841 has continued to show sophistication and adaptability in response to remediation efforts. Specifically, UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance. We’ll also showcase how UNC4841’s deployment select backdoors suggests this threat actor anticipated, and prepared for remediation efforts, by creating tooling in advance to remain embedded in high-value targets, should the campaign be compromised."
As I have talked about in the past, APTs and other threat groups are aware of how most modern vulnerability identification and remediation systems function. In many cases this knowledge is just a bonus or a method to get in some quick scores before a window closes. Here we see a group that identified a target environment (Telecom and Government), possibly padded that environment with some collateral targets, found an open window in a common product (the Barracuda ESG) then planned on someone shutting that window. This level of planning might have been a way to hide after remediation in a small subset of targets considered high priority by the APT, but considering how quickly these remaining targets were identified and corrected, that might not be the case.
At each stage of the campaign, beginning in October of 2022, the attackers (Mandiant is tracking them as UNC4841) showed an increasing level of sophistication as they worked to remain present in each reduced set of compromised devices. These sets also increased in priority and significance to the attackers. According to the timeline of the incident Mandiant noted an increase in activity following the initial public disclosure of the 0-day. This increase in activity was a retooling of existing malware in order to maintain persistence after remediation. This shows another item that I have talked about. Attackers know the mean time to remediation. They can and will use this time to remain in an environment if the value of the access is worth it. In this case UNC8481 clearly felt remaining in a certain number of environments was worth the cost and so they retooled their existing deployments and followed this up with deployment of new malware to high priority targets specifically to remain present post remediation.
The deployment of these new malware families (named SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE by Mandiant) while not a new concept, it interesting as each one was deployed at a smaller and smaller subset. This was likely in an attempt to remain undetected for as long as possible. Each new family showed more sophistication than the last. Skipjack was used against the largest group and included Government, Military, Defense and Aerospace, High-Tech industry, and Telcom. Depthcharge was aimed at Government and High-Tech Industry. Foxtrot/Foxglove was limited to Government targets. We will not be going into the details of each of these malware families, you can read the Mandiant article for that.
In general terms this actor went into this campaign fully ware that they were going to get caught. They had a BCDR plan to continue operations even after discovery and remediation of their initial attack vector. As a disaster recovery plan, they also created user accounts and spawned SSH daemons to give them another method of entry, if their malware was not enough. To add to this Mandiant also saw the attackers utilize passwords recovered from the ESG to access accounts via OWA.
“In one case, Mandiant identified UNC4841 successfully accessing a Windows Server Update Services (WSUS) server utilizing a domain administrator account identified within the mstore on an ESG appliance. The access to WSUS is notable as Mandiant has observed other China-nexus espionage actors deploying malware on a WSUS server to inject fake updates for remote code execution in efforts to steal data from government entities."
Attempts at lateral movement, while present seemed to be very stealthy reconnaissance or espionage type efforts. UNC4841 also lateral movement via SSH to VPN, Proxy and other Edge Appliances present in a targeted network. Although not specifically stated these moves all appear to be with the intent of remaining present in the environment by alternate means if needed. Once they got in, they were looking to remain in as long as they could. This pattern is very different from a financially motivated group where they might look to run a scorched earth campaign on the way out after detection.
All of these pieces of data (provided in the two Mandiant repots) support the attribution to a Nation-Sate actor or Nation-State linked actor. There is little financial gain in the attack pattern and targets. This was all about data collection and/or IP theft. The style of low and slow attack, leveraging increasingly sophisticated malware and smaller target groups has all the hallmarks of a “military” style campaign. The planning that went into this attack is clear up to the methods employed to remain in contact with targets even after the original attack vector was removed. This is not a general APT group or a Frat House group.
Mandiant also believes that this group is tied to the People’s Republic of China due to the tactics involved, the sophistication of the tool sets used and the targets for the campaign. They are likely to be in the China-Nexus group of actors as they share overlap in their methods.
In general, this type of attack with the active evolution of tactics and techniques during an event is not uncommon. I have personally watched some financially motivated groups change the way they were doing business because a certain tool or even a specific server received attention or a reboot. I have also seen a determined actor fight to remain present in an environment once detected. Where things change is when the cost of the effort to remain in an environment is too high, they exist and burn the building down. This scorched earth tactic can range from locking people out, to deploying ransomware and deleting files and backups.
In the case of UNC4841 instead of burning the building down, the looked to leave more ways to get back in the building. These actions are 100% consistent with an espionage / IP theft group. Mandiant attribution to China also appears solid as they match up not only attack styles but share infrastructure with other tracked groups. They are clear about why they feel UNC4841 is a separate group and not just an existing group using a new tactic.
Identification and exposure of groups like this will make others aware of the very real dangers that are present in edge devices. This on top of attacks like the ones from Clop and other identified 0-Day attacks could become more and more common and will eventually filter down to less sophisticated groups. This muddying of the water will allow the top-level predators to continue their efforts while organizations work to fend off attacks from the second and third tier. Evidence of this expansion of the predator environment is clear in the number of leaks of tools, source code for boot loaders, dumps of tools for alleged 0-Days and more that pop up on the dark web. The market there is thriving and some of that is intentional. If you are busy responding to attacks from an increased eco system of attackers, you are more likely to miss a more sophisticated and stealthy attack. This plays into the return of the hacktivist group targeting corporations and governments they are opposed to. It will certainly make it harder to spot the next round of high-level attacks.
Cybersecurity practices need a bit of a sea change here. The industry (as I have often said) cannot continue to do what they have always done. The next moves need to be counter-intuitive to the threat actors’ understanding of modern business practices. Only by breaking out of the existing and well-known patterns can we flip the script on attackers. What this entails is going to be a bit different for each organization, but it starts discarding the thought process that cybersecurity is just a cost on a P&L sheet.
Stay safe out there