Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months
Enterprise
security
firm
Barracuda
on
Tuesday
disclosed
that
a
recently
patched
zero-day
flaw
in
its
Email
Security
Gateway
(ESG)
appliances
had
been
abused
by
threat
actors
since
October
2022
to
backdoor
the
devices.
The
latest
findings
show
that
the
critical
vulnerability,
tracked
as
CVE-2023-2868
(CVSS
score:
N/A),
has
been
actively
exploited
for
at
least
seven
months
prior
to
its
discovery.
The
flaw,
which
Barracuda
identified
on
May
19,
2023,
affects
versions
5.1.3.001
through
9.2.0.006
and
could
allow
a
remote
attacker
to
achieve
code
execution
on
susceptible
installations.
Patches
were
released
by
Barracuda
on
May
20
and
May
21.
“CVE-2023-2868
was
utilized
to
obtain
unauthorized
access
to
a
subset
of
ESG
appliances,”
the
network
and
email
security
company
said
in
an
updated
advisory.
“Malware
was
identified
on
a
subset
of
appliances
allowing
for
persistent
backdoor
access.
Evidence
of
data
exfiltration
was
identified
on
a
subset
of
impacted
appliances.”
Three
different
malware
strains
have
been
discovered
to
date
–
-
SALTWATER
–
A
trojanized
module
for
the
Barracuda
SMTP
daemon
(bsmtpd)
that’s
equipped
to
upload
or
download
arbitrary
files,
execute
commands,
as
well
as
proxy
and
tunnel
malicious
traffic
to
fly
under
the
radar.
-
SEASPY
–
An
x64
ELF
backdoor
that
offers
persistence
capabilities
and
is
activated
by
means
of
a
magic
packet.
-
SEASIDE
–
A
Lua
based
module
for
bsmtpd
establish
reverse
shells
via
SMTP
HELO/EHLO
commands
sent
via
the
malware’s
command-and-control
(C2)
server.
Source
code
overlaps
have
been
identified
between
SEASPY
and
an
open
source
backdoor
called
cd00r,
according
to
Google-owned
Mandiant,
which
is
investigating
the
incident.
The
attacks
have
not
been
attributed
to
a
known
threat
actor
or
group.
UPCOMING
WEBINAR
Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!
Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!
The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
last
week,
also
added
the
bug
to
its
Known
Exploited
Vulnerabilities
(KEV)
catalog,
urging
federal
agencies
to
apply
the
fixes
by
June
16,
2023.
Barracuda
did
not
disclose
how
many
organizations
were
breached,
but
noted
they
were
directly
contacted
with
mitigation
guidance.
It
also
warned
that
the
ongoing
probe
may
unearth
additional
users
who
may
have
been
affected.