Connect with us

Hi, what are you looking for?


Malware & Threats

FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

The FBI says that the patches Barracuda released in May for an exploited ESG zero-day vulnerability (CVE-2023-2868) were not effective.

The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”.

Impacting Barracuda ESG versions to, the security defect, tracked as CVE-2023-2868, has been exploited as a zero-day since at least October 2022, and continues to be targeted in attacks. Barracuda released patches for the bug in late May 2023.

In June, Mandiant attributed the attacks targeting CVE-2023-2868 to a Chinese state-sponsored cyberespionage group tracked as UNC4841. Starting in July, CISA has published several analysis reports detailing the payloads and malware families used in the attacks.

Now, the FBI warns (PDF) that the flaw is still being targeted in the wild, and that even ESG appliances running the patches released by Barracuda “remain at risk for continued computer network compromise from suspected [Chinese] cyber actors exploiting this vulnerability”.

“The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” the agency notes.

Because the vulnerability impacts the email scanning functionality of Barracuda ESG, adversaries can exploit it by sending emails containing crafted TAR file attachments that would trigger a command injection in the context of the appliance.

As part of the observed attacks, the threat actors deployed various types of malware on the affected ESG appliances, allowing them to scan emails, harvest credentials, exfiltrate data, and maintain persistent access.

In some cases, the FBI says, the adversaries leveraged the compromised ESG for lateral movement into the victim’s network, or to send malicious emails to other appliances.

Advertisement. Scroll to continue reading.

“The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit,” the agency notes.

The FBI says that only scanning the appliance itself for indicators of compromise (IoCs) is not enough to identify potential intrusions and advises organizations to also scan for outgoing connections, review email logs, rotate credentials, revoke and reissue associated certificates, review network logs, and monitor the entire network for abnormal activity.

In an emailed comment, Mandiant CEO Kevin Mandia confirmed that UNC4841 has shifted tactics since the initial report on this activity.

“Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide,” Mandia said.

“These types of attacks underscore a major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations,” he added.

Related: Barracuda Urges Customers to Replace Hacked Email Security Appliances

Related: New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack

Related: Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.