Hackers Exploited Zero-Day Bug for 8 Months, Barracuda WarnsAttackers Exploited Now-Fixed Flaw in ESG Appliances to Install Malware, Steal Data
Barracuda Networks is warning that attackers exploited for up to eight months a recently patched zero-day vulnerability in its Email Security Gateway appliances.
The serious remote command injection vulnerability, tracked as CVE-2023-2868, existed in all hardware and virtual versions of Barracuda's Email Security Gateway appliances. The vendor issued its first public alert about the attacks on May 23.
In a Tuesday update titled a "preliminary summary of key findings," the vendor reported that attackers discovered and exploited the vulnerability starting in October, and possibly earlier. Digital forensic investigators from Google's Mandiant found attackers exploited the vulnerability to install malware to give themselves "persistent backdoor access" to the appliance as well as exfiltrate data, Barracuda said.
The vendor said the vulnerability present in its ESG products - but no others - was due to its software failing to fully validate the names of files contained in a user-supplied
.tar file, which collects many different files into a single archive. Due to the flaw, "a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product," it said.
Barracuda said at least one attacker had successfully exploited the vulnerability "to gain unauthorized access to a subset of ESG appliances." The vendor did not detail how many appliances the attackers targeted, and it didn't immediately respond to a request to give the number of affected customers.
Exploits Trace From Last October
Based on what's currently known, Barracuda issued this timeline:
- October 2022: First known exploits of ESG appliances CVE-2023-2868 begin but remain undetected;
- May 18, 2023: Barracuda receives report of suspicious traffic emanating from its ESG appliances and brings in Mandiant to investigate;
- May 19: Barracuda identifies the CVE-2023-2868 vulnerability present in ESG appliance versions 5.1.3.001-9.2.0.006;
- May 20: Barracuda pushes its first security patch to all ESG appliances to fix the flaw;
- May 21: Barracuda pushes a script to all ESG appliances as part of what it describes as a strategy "to contain the incident and counter unauthorized access methods."
Barracuda said it is continuing to develop and deploy "a series of security patches" to ESG appliances "in furtherance of our containment strategy."
It is telling affected customers they should look for signs that hackers gained remote access to their network, since the vendor is focusing solely on its ESG product rather than customers' IT environments.
The vendor published a list of endpoint and network indicators of compromise, as well as a series of malware detection patterns - aka YARA rules. It recommends that all customers it has alerted to signs that their ESG appliance was targeted closely study their endpoints and networks using the IOCs.
Barracuda reported that three types of malware were recovered from hacked ESG appliances:
- Saltwater: Described as a "Trojanized module for the Barracuda SMTP daemon (bsmtpd)," it gives attackers "backdoor functionality" and is still being studied by Mandiant for signs of overlap with other malware families.
- Seaspy: This 64-bit ELF file is a backdoor that "poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter." It appears to be based on a publicly available backdoor called cd00r.
- Seaside: It is a Lua script for bsmtpd that creates a reverse shell.
For affected customers, Barracuda recommends verifying with its customer support team that their ESG appliances are still set to receive and apply all of its remotely issued patches and updates and are running the latest version of its software, rotating all credentials tied to ESG appliances and contacting the vendor to receive replacement virtual or hardware appliances.