Barracuda Networks is urging customers running phyisical Email Security Gateway (ESG) appliances to replace them immediately, “regardless of patch version level.”
Vulnerability identification and disclosure
Barracuda has identified a critical vulnerability (CVE-2023-2868) in their ESG appliances on May 19, 2023, and pushed a patch to them all on the following day.
On May 21, “a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods.”
The remote command injection vulnerability affected versions 5.1.3.001 to 9.2.0.006 of the physical appliance and was being exploited by attackers in the wild, “to obtain unauthorized access to a subset of ESG appliances.”
Custom-made malware was deployed on them to achieve persistent access.
Urgent action needed
Barracuda initially advised customers to rotate any credentials connected to the ESG appliance (LDAP, AD, Barracuda Cloud Control, FTP, SMB) and promised to replace the affected device. In the meantime, they suggested to customers to spin up a new virtual appliance or opt for the cloud version of the service.
But this Tuesday (June 6), the company issued an urgent action notice, prompting all affected customers to replace their impacted ESG appliances as soon as possible. “If you have not replaced your appliance after receiving notice in your UI, contact support now (email@example.com),” they added.
Caitlin Condon, senior manager, security research at Rapid7, noted that “the pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access.”
Rapid7 researchers have identified ongoing malicious actions dating back to November 2022, with the most recent instances being observed in May 2023.
“In at least one case, outbound network traffic indicated potential data exfiltration. We have not yet observed any lateral movement from a compromised appliance,” Condon shared.
Barracuda has previously comfirmed that the earliest identified evidence of exploitation of CVE-2023-2868 points to attackers leveraging it as far back as October 2022.
UPDATE (June 11, 2023, 13:25 a.m. ET):
The Government of the Australian Capital Territory (ACT) has been breached by attackers leveraging CVE-2023-2868.
“A harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed. We are confident that actions taken to date have contained the breach and that there is no ongoing threat,” the ACT Government said on Thursday.
UPDATE (June 19, 2023, 05:05 a.m. ET):
Mandiant says that suspected state-backed Chinese hackers exploited CVE-2023-2868 to target hundreds of public and private sector organizations.
“Almost a third of identified affected organizations were government agencies, supporting the assessment that the campaign had an espionage motivation. Further, in the set of entities selected for focused data exfiltration, shell scripts were uncovered that targeted email domains and users from ASEAN Ministry of Foreign Affairs, as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong,” Mandiant’s analysts shared.
“In addition, the actors searched for email accounts belonging to individuals working for a government with political or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.”