Yesterday, the EPA distributed a medium cybersecurity advisory (attached) emphasizing the recent FBI FLASH regarding Suspected People’s Republic of China (PRC) Cyber Actors Continue to Globally Exploit Barracuda Email Security Gateway (ESG). The EPA advisory recommends all drinking water and wastewater systems address and follow the mitigations contained in the FLASH. The FBI FLASH was included in WaterISAC’s Security & Resilience Update on Thursday, August 24, 2023, with encouragement to utilities which use and have not already isolated or replaced impacted Barracuda Email Security Gateway (ESG) appliances to address immediately.

Additionally, Mandiant released its threat intelligence and analysis report today detailing additional tactics, techniques, and procedures (TTPs) employed by this activity (that it tracks as UNC4841) that have since been uncovered through incident response engagements, collaborative efforts with Barracuda Networks, and International Government partners. Additional behavior includes post-exploitation activity of originally compromised victims and that UNC4841 has shown an interest in a subset of priority victims.

According to Mandiant, “Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign. These organizations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns. While overall local government targeting comprises just under seven percent of all identified affected organizations, this statistic increases to nearly seventeen percent when compared to U.S.-based targeting alone. In some instances, targeted entities had populations below 10,000 individuals. Local government targeting occurred mostly in the initial months of CVE-2023-2868 exploitation, with the majority of observed compromises beginning from October through December 2022.” Visit Mandiant for more details.

Analyst Comment (Jennifer Lyn Walker): Although Barracuda has notified impacted entities and PRC cyber actors may seem less likely to directly target water and wastewater utilities (at this time), because this vulnerability is widely known and Barracuda ESG is a popular appliance, unprotected/unpatched/non-isolated appliances can become a target of opportunity for other types of cyber threat actors in the future, thus emphasizing the importance of timely patching/addressing (of all vulnerabilities, not just this one).