Barracuda says that the recently discovered compromise of some of it clients’ ESG appliances via a zero-day vulnerability (CVE-2023-2868) resulted in the deployment of three types of malware and data exfiltration.
The company did not say how many organizations have been breached, but has comfirmed that the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.”
Zero-day exploited, Barracuda ESG appliances backdoored
On May 23, Barracuda Networks publicly acknowledged that attackers have been exploiting CVE-2023-2868 to breach Email Security Gateway on-prem physical appliances at various organizations.
Today, they confirmed that the first patch, which remediated the remote command injection vulnerability, was applied to all ESG appliances worldwide on May 20, and was followed by a script that was “deployed to all impacted appliances to contain the incident and counter unauthorized access methods.”
With the help of cyber security experts from Mandiant, they found that at least three different malicious payloads had been dropped on affected appliances:
- SALTWATER, a trojanized module for the Barracuda SMTP daemon (bsmtpd), which serves as a backdoor that has proxy and tunneling capabilities and allows attackers to upload or download arbitrary files and execute commands.
- SEASPY, an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP)
- SEASIDE, a Lua-based module for the Barracuda SMTP daemon (bsmtpd) that establishes a connection to the attackers’ C2 server and helps establish a reverse shell (to provide access to the system)
There is some code overlap between SEASPY and cd00r, a publicly available PoC backdoor, the company said, but the malware has yet to be tied to specific threat actors.
Advice for impacted customers
Barracuda’s advice to impacted ESG customers – who have also been privately alerted – is as follows:
- Ensure that the appliance is receiving and applying updates and security patches from Barracuda
- If possible, remove the compromised ESG appliance and contact the company to obtain a new ESG virtual or hardware appliance
- Rotate any credentials connected to the ESG appliance
- Review network logs and search for IOCs and IPs shared by the company
Barracuda has also provided YARA rules to help organizations hunt for the malicious TAR file that exploits CVE-2023-2868.
“A series of security patches are being deployed to all appliances in furtherance of our containment strategy,” the company added, but did not elaborate further.
UPDATE (June 8, 2023, 08:20 a.m. ET):
Barracuda has issued an action notice on Tuesday, saying that impacted ESG appliances should be immediately replaced regardless of patch version level.
“If you have not replaced your appliance after receiving notice in your UI, contact support now (email@example.com),” they advise.