Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

The recently discovered Barracuda zero-day vulnerability CVE-2023-2868 has been exploited to deliver malware and steal data since at least October 2022.

Barracuda zero day exploited by China

A zero-day vulnerability affecting Barracuda Networks email security appliances has been exploited to deploy malware and steal data from organizations for several months before it was discovered.

The zero-day, tracked as CVE-2023-2868 and described as a remote command injection issue, impacts Email Security Gateway (ESG) appliances running versions 5.1.3.001 through 9.2.0.006. 

“The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” Barracuda explained.

Barracuda became aware of attacks targeting its product on May 18 and confirmed the existence of a new vulnerability the next day. A patch was rolled out to ESG devices on May 20 and the vendor released an additional script one day later to contain the incident and neutralize unauthorized access methods. Additional fixes are also being deployed as part of the company’s containment strategy.

The vulnerability only appears to impact the ESG product, specifically a module designed for the initial screening of email attachments.

In an update shared on Tuesday, Barracuda provided additional information on the attack and the actions carried out by the attackers. An investigation conducted with the help of Mandiant revealed that CVE-2023-2868 has been exploited in attacks since at least October 2022.

The threat actor exploited the zero-day to hack ‘a subset’ of ESG devices and deploy malware that gave them persistent backdoor access. In some cases, data exfiltration was also detected. 

Three types of malware were discovered on compromised Barracuda devices. One of them, named SaltWater, has been described as a trojanized module for the Barracuda SMTP daemon. It allows attackers to upload or download files, execute commands, and use it for proxy or tunneling purposes. Mandiant is currently analyzing the malware for links to known threats.

Advertisement. Scroll to continue reading.

Another piece of malware involved in the attack is SeaSpy, a persistence backdoor that poses as a legitimate Barracuda service. It monitors traffic and provides backdoor functionality activated by a ‘magic packet’. Mandiant did find some code overlap between this malware and a publicly available backdoor named cd00r. 

The third piece of malware is named Seaside and it has been described as a Lua-based module that also targets the Barracuda SMTP daemon. It receives a command and control (C&C) IP address and port that are passed on to an external binary that establishes a reverse shell. 

Barracuda has shared indicators of compromise (IoCs) for both endpoints and networks, as well as Yara rules that can be used for threat hunting. 

Customers have been advised to ensure that their devices are up to date and to stop using compromised appliances — Barracuda is providing new virtual or hardware appliances to impacted users.

Related: Fortinet Admits Many Devices Still Unprotected Against Exploited Vulnerability

Related: Custom Chinese Malware Found on SonicWall Appliance

Related: Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.