Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

Barracuda Email Security Gateway

Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices.

The latest findings show that the critical vulnerability, tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery.

The flaw, which Barracuda identified on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to achieve code execution on susceptible installations. Patches were released by Barracuda on May 20 and May 21.

“CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances,” the network and email security company said in an updated advisory.

“Malware was identified on a subset of appliances allowing for persistent backdoor access. Evidence of data exfiltration was identified on a subset of impacted appliances.”

Three different malware strains have been discovered to date –

  • SALTWATER – A trojanized module for the Barracuda SMTP daemon (bsmtpd) that’s equipped to upload or download arbitrary files, execute commands, as well as proxy and tunneling malicious traffic to fly under the radar.
  • SEASPY – An x64 ELF backdoor that offers persistence capabilities and is activated by means of a magic packet.
  • SEASIDE – A Lua based module for bsmtpd establish reverse shells via SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.

Source code overlaps have been identified between SEASPY and cd00r, according to Google-owned Mandiant, which is investigating the incident. The attacks have not been attributed to a known threat actor or group.

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Learn, Connect, Grow

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), last week, also added the bug to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.

Barracuda did not disclose how many organizations were breached, but noted they were directly contacted with mitigation guidance. It also warned that the ongoing probe may unearth additional users.



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn