State-backed hackers have accelerated attacks on government email servers in recent years, and it’s a trend that experts told ITPro will only get worse.
The prediction comes after a threat group with reported links to Chinese espionage activities breached email servers belonging to the Belgian intelligence agency.
On Wednesday February 26th, the Belgian federal prosecutor announced it had launched a probe into the alleged breach which targeted the county’s state security service (VSSE).
According to a report from Belgian newspaper Le Soir, the hackers were able to steal 10% of the VSSE staff’s incoming and outgoing emails sent between 2021 and May 2023.
It added that the access did not affect any classified information as the email system is hosted on an external server, but the PII of nearly half of the security service’s members was potentially compromised.
The attackers are alleged to have gained access to the VSSE’s email systems by exploiting a critical remote command injection vulnerability, CVE-2023-2868, in Barracuda Networks’ Email Security Gateway (ESG) appliance.
Barracuda engaged Google security subsidiary Mandiant to assist in their investigation into the exploitation of the Barracuda ESG flaw in the wild, which it tracked to October 2022.
Mandiant identified a threat actor it tracked as UNC4841 that was targeting a subset of Barracuda ESG appliances in an espionage campaign across a number of regions. It claimed that its investigation was able to establish with “high confidence” the group was linked to the Chinese government.
The report stated that UNC4841 sent emails containing malicious attachments tailored to exploit CVE-2023-2868 to a range of target organizations around the world, including the Belgian VSSE.
Shortly after Barracuda disclosed the vulnerability in 2023, the Belgium intelligence service stopped using the firm’s ESG appliance.
In a statement given to ITPro, Barracuda Networks said that while some of the emails allegedly accessed were from 2021, the exploitation of the vulnerability took place in 2023.
“Exploitation of the vulnerability impacting less than five percent of Email Security Gateway appliances took place in 2023 – not 2021. Our investigation data confirms that the vulnerability was not exploited in 2021,” a spokesperson said.
“Barracuda promptly remediated the issue, which was fixed as part of the BNSF-36456 patch and applied to all customer appliances.”
Email systems are the perfect entry point for further attacks
There have been a string of high-profile cyber incidents in recent years targeting email services, such as the Hafnium campaign in 2020 and a similar attack that saw threat actors steal emails from a number of government agencies 2023.
Speaking to ITPro, Vito Alfano, Group-IB’s head of digital forensic and incident response practice in Europe, said these services have long been a prime target for threat actors, and this is expected to continue.
“APTs regularly target publicly exposed services, such as email systems, used by their victims and it has always been a long-standing tactic. Since 2006, nation-state-linked threat actors have targeted mail systems to gain access to confidential information.”
He cited a number of historic examples of email systems being targeted by state-sponsored groups, going back to the very first threat group tracked as an APT in 2006 to the APT28 attack on the US Democratic National Party (DNC) in 206.
Alfano noted that email servers are frequently targeted by espionage-focused groups as they host valuable information and can enable them to quickly pivot into other parts of the victim’s environment once inside.
“Email servers cover a central role in communication, credential management, document exchange and they often represent a link between the external world and the internal protected perimeter of a targeted company. For this reason APT groups consider them a high-value target,” he explained.
“A mail server stores user login information which allows APTs to ‘jump’ into the victim’s perimeter through lateral movement. A mail server can also be used for supply chain attacks. Indeed, quite often third parties like suppliers and contractors use government email systems making them a secondary target.”
He added that we typically see sophisticated threat actors, often those with state backing, looking to remain in these environments for as long as possible without being detected, giving them a vantage point from which they can monitor the victim’s assets and craft more devastating attacks.
“Email servers also grant access to highly sensitive information and communications making them perfect for a long-term silent espionage campaign, allowing the access to sensitive mails or to be used to forge crafted phishing and impersonation attacks.”
This, he speculated, was most likely the case regarding the incident affecting Belgian VSSE with the attackers looking to use confidential information procured through an espionage campaign for further attacks.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
