Barracuda Networks is telling customers to immediately replace hacked Email Security Gateway (ESG) appliances, even if they have installed all available patches.
Barracuda became aware of attacks targeting its ESG appliances on May 18. By the next day, the company discovered that the attacks involved exploitation of a zero-day vulnerability (CVE-2023-2868) and it immediately started working on patches and scripts to contain the attack, which it released shortly after.
Barracuda’s initial recommendations for impacted customers included ensuring that their appliances had received all updates, definitions and security patches. At the same time, the company told customers to discontinue the use of compromised devices and contact its support team to receive a new ESG appliance.
On June 6, the company issued an ‘action notice’ telling impacted customers to immediately replace their appliances, regardless of their patch level. This suggests that the updates may not be completely effective in cleaning up hacked systems.
“If you have not replaced your appliance after receiving notice in your UI, contact support now,” Barracuda said. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
Barracuda’s investigation, which is assisted by Mandiant, revealed that the vulnerability has been exploited since at least October 2022. CVE-2023-2868 is a remote command injection issue affecting a module designed for the initial screening of email attachments.
Information shared by the company to date indicates that threat actors delivered malware to a subset of appliances and used it to exfiltrate data.
Three types of malware were discovered on hacked Barracuda appliances. They have been named SaltWater, SeaSpy, and SeaSide.
SaltWater is designed to allow attackers to upload and download files, execute arbitrary commands, and use it for proxy or tunneling purposes. SeaSpy provides backdoor functionality, while SeaSide is used to receive command and control (C&C) information and to establish a reverse shell.
Indicators of compromise (IoCs) for endpoints and networks, as well as Yara rules that can be used for threat hunting have been shared by the vendor.
Related: Fortinet Admits Many Devices Still Unprotected Against Exploited Vulnerability
Related: Custom Chinese Malware Found on SonicWall Appliance
Related: Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft Adding New Security Features to Windows 11
- Sony Investigating After Hackers Offer to Sell Stolen Data
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
Latest News
- Microsoft Adding New Security Features to Windows 11
- UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
- Sony Investigating After Hackers Offer to Sell Stolen Data
- The CISO Carousel and its Effect on Enterprise Cybersecurity
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
