Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

12 months ago AndyC

May
31,
2023Ravie
LakshmananNetwork
Security
/
Zero
Day

Enterprise
security
firm
Barracuda
on
Tuesday
disclosed
that
a
recently
patched
zero-day
flaw
in
its
Email
Security
Gateway
(ESG)
appliances
had
been
abused
by
threat
actors
since
Octob

Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months



May
31,
2023Ravie
LakshmananNetwork
Security
/
Zero
Day


Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

Enterprise
security
firm
Barracuda
on
Tuesday
disclosed
that
a
recently
patched
zero-day
flaw
in
its
Email
Security
Gateway
(ESG)
appliances
had
been
abused
by
threat
actors
since
October
2022
to
backdoor
the
devices.

The
latest

findings
show
that
the

critical
vulnerability,
tracked
as

CVE-2023-2868
(CVSS
score:
N/A),
has
been
actively
exploited
for
at
least
seven
months
prior
to
its
discovery.

The
flaw,
which
Barracuda
identified
on
May
19,
2023,
affects
versions
5.1.3.001
through
9.2.0.006
and
could
allow
a
remote
attacker
to
achieve
code
execution
on
susceptible
installations.
Patches
were
released
by
Barracuda
on
May
20
and
May
21.

“CVE-2023-2868
was
utilized
to
obtain
unauthorized
access
to
a
subset
of
ESG
appliances,”
the
network
and
email
security
company

said
in
an
updated
advisory.

“Malware
was
identified
on
a
subset
of
appliances
allowing
for
persistent
backdoor
access.
Evidence
of
data
exfiltration
was
identified
on
a
subset
of
impacted
appliances.”

Three
different
malware
strains
have
been
discovered
to
date


  • SALTWATER

    A
    trojanized
    module
    for
    the
    Barracuda
    SMTP
    daemon
    (bsmtpd)
    that’s
    equipped
    to
    upload
    or
    download
    arbitrary
    files,
    execute
    commands,
    as
    well
    as
    proxy
    and
    tunnel
    malicious
    traffic
    to
    fly
    under
    the
    radar.

  • SEASPY

    An
    x64
    ELF
    backdoor
    that
    offers
    persistence
    capabilities
    and
    is
    activated
    by
    means
    of
    a
    magic
    packet.

  • SEASIDE

    A
    Lua
    based
    module
    for
    bsmtpd
    establish
    reverse
    shells
    via
    SMTP
    HELO/EHLO
    commands
    sent
    via
    the
    malware’s
    command-and-control
    (C2)
    server.

Source
code
overlaps
have
been
identified
between
SEASPY
and
an
open
source
backdoor
called

cd00r,
according
to
Google-owned
Mandiant,
which
is
investigating
the
incident.
The
attacks
have
not
been
attributed
to
a
known
threat
actor
or
group.


UPCOMING
WEBINAR

Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!

Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!

Save
My
Seat!

The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
last
week,
also

added
the
bug
to
its
Known
Exploited
Vulnerabilities
(KEV)
catalog,
urging
federal
agencies
to
apply
the
fixes
by
June
16,
2023.

Barracuda
did
not
disclose
how
many
organizations
were
breached,
but
noted
they
were
directly
contacted
with
mitigation
guidance.
It
also
warned
that
the
ongoing
probe
may
unearth
additional
users
who
may
have
been
affected.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

2 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

2 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

2 days ago AndyC
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

2 days ago AndyC
CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now

CISA Warns of Actively Exploited D-Link Router Vulnerabilities – Patch Now

2 days ago AndyC
New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

3 days ago AndyC

You may have missed

North Korea-linked IT workers infiltrated hundreds of US firms

North Korea-linked IT workers infiltrated hundreds of US firms

17 hours ago AndyC
The who, where, and how of APT attacks – Week in security with Tony Anscombe

The who, where, and how of APT attacks – Week in security with Tony Anscombe

1 day ago AndyC
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

1 day ago AndyC

Friday Squid Blogging: Emotional Support Squid

1 day ago AndyC

How to Protect Yourself on Social Networks

2 days ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.