A zero-day vulnerability affecting Barracuda Networks email security appliances has been exploited to deploy malware and steal data from organizations for several months before it was discovered.
The zero-day, tracked as CVE-2023-2868 and described as a remote command injection issue, impacts Email Security Gateway (ESG) appliances running versions 5.1.3.001 through 9.2.0.006.
“The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” Barracuda explained.
Barracuda became aware of attacks targeting its product on May 18 and confirmed the existence of a new vulnerability the next day. A patch was rolled out to ESG devices on May 20 and the vendor released an additional script one day later to contain the incident and neutralize unauthorized access methods. Additional fixes are also being deployed as part of the company’s containment strategy.
The vulnerability only appears to impact the ESG product, specifically a module designed for the initial screening of email attachments.
In an update shared on Tuesday, Barracuda provided additional information on the attack and the actions carried out by the attackers. An investigation conducted with the help of Mandiant revealed that CVE-2023-2868 has been exploited in attacks since at least October 2022.
The threat actor exploited the zero-day to hack ‘a subset’ of ESG devices and deploy malware that gave them persistent backdoor access. In some cases, data exfiltration was also detected.
Three types of malware were discovered on compromised Barracuda devices. One of them, named SaltWater, has been described as a trojanized module for the Barracuda SMTP daemon. It allows attackers to upload or download files, execute commands, and use it for proxy or tunneling purposes. Mandiant is currently analyzing the malware for links to known threats.
Another piece of malware involved in the attack is SeaSpy, a persistence backdoor that poses as a legitimate Barracuda service. It monitors traffic and provides backdoor functionality activated by a ‘magic packet’. Mandiant did find some code overlap between this malware and a publicly available backdoor named cd00r.
The third piece of malware is named Seaside and it has been described as a Lua-based module that also targets the Barracuda SMTP daemon. It receives a command and control (C&C) IP address and port that are passed on to an external binary that establishes a reverse shell.
Barracuda has shared indicators of compromise (IoCs) for both endpoints and networks, as well as Yara rules that can be used for threat hunting.
Customers have been advised to ensure that their devices are up to date and to stop using compromised appliances — Barracuda is providing new virtual or hardware appliances to impacted users.