The Game May Have Changed: 
But Compromised Servers are Still Tried and True
Part 3 in a series
In July 2021, there was talk from Western diplomats from many NATO countries about Chinese hacking of Microsoft Exchange servers earlier in that year. A "Statement by the North Atlantic Council in solidarity with those affected by recent malicious cyber activities including the Microsoft Exchange Server compromise," was released July 19, 2021. NATO members clearly expressed the threats to the Alliance that Chinese cyber attacks represent. Paragraph 3 was explicit in its laying blame to the attack on email servers worldwide on The People's Republic of China.
We stand in solidarity with all those who have been affected by recent malicious cyber activities including the Microsoft Exchange Server compromise. Such malicious cyber activities undermine security, confidence and stability in cyberspace. We acknowledge national statements by Allies, such as Canada, the United Kingdom, and the United States, attributing responsibility for the Microsoft Exchange Server compromise to the People’s Republic of China.
Two years and a few days later, July 28, 2023, CISA published an advisory on Chinese threat actors exploitation of vulnerabilities in email server products by long term stalwart vendor, Barracuda Networks. Beginning in May 2023, security vendor, Mandiant, was brought in by Barracuda Networks to investigate the ongoing compromise of their Email Gateway Server products. Mandiant was initially responsible for the detection of the attack. A report was issued by Mandiant, June 15, 2023, and last updated July 28, 2023. Entitled, "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China," Mandiant began by stating:
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022.
Mandiant determined that almost one-third of the victims of these attacks were government agencies, and therefore assessed that espionage was a primary motivation for the attack.
As The Hacker News reported, July 29, 2023, the attack began with phishing emails sent with files that allow a backdoor to be opened when communication is established with the attackers Command and Control Server. From there, a new piece of malware, dubbed "Submarine," by CISA, was injected into the Structured Query Language embedded into the email gateway. Submarine exploited existing vulnerabilities in the SQL language that lie at the core of Barracuda's Email Gateway products. CISA, in its advisory on Submarine, dated July 28, 2023, stated that the attacker is a "multi-step process, enable execution with root privileges, persistence, command and control, and cleanup." Furthermore, Submarine created emails with attachments that "contained the contents of the compromised SQL database, which included sensitive information."
I will leave it those who engage in such semantical debates whether or not this attack qualifies as an actual Living Off The Land attack. This three prong attack is certainly not a fileless attack. The attack did, however, exploit existing vulnerabilities in Barracuda products. And, since all attacks take unfair advantage of heretofore unknown vulnerabilities open for exploitation, I think it is fair to say that almost most threat actors "live off the land" in which the attackers find themselves. All of our hacker miscreants, once they have infiltrated a network, are like bears rampaging through a campground, taking from that network all that can be consumed on the spot, and then wait for more goodies to arrive in the persons of unsuspecting campers or computer users.
Despite attempts at patching the flaws, the attacks on Barracuda Network's Email Gateway persisted. As BleepingComputer and others have reported, Barracuda Networks will now replace vulnerable email server products with current product. That does not, however, mitigate the cost in labor and down time to replace an email server. Neither does replacement recover good reputations now gone bad due to any fallout from data stolen from compromised networks. Nonetheless, Barracuda Networks taking the primary responsibility for its products, and replacing those hopelessly defective products with reliable new products, should become an industry standard practice — if not a law. For only in IT, are manufacturers allowed to walk away unscathed by the chaos and destruction their shoddy products wreak upon businesses, governments, and consumers everywhere.
So, now, we have a new model. Not only must Uncle Sam demand it, but we Consumers must also demand that IT vendors do one simple thing.
¯\_(ツ)_/¯
Gerald Reiff