Published: June 18, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
In late May, Barracuda Networks, the network security solutions provider, issued a warning to its customers about a recent breach affecting some of its Email Security Gateway (ESG) appliances. According to the company, this device is used in more than 200,000 organizations. It turns out that threat actors took advantage of a zero-day vulnerability that has since been patched.
The vulnerability, known as CVE-2023-2868, was discovered on May 19 and Barracuda promptly released security patches on May 20 and 21 to address the issue. The impact of this vulnerability could be quite significant as ESG appliances are widely used by numerous organizations worldwide, including some big-name businesses, such as Delta Airlines and Kraft-Heinz.
It's worth noting that this vulnerability only affects the Email Security Gateway (ESG) appliances and does not impact other Barracuda products. The company assures customers that its SaaS email security services remain unaffected by this issue. It’s also worth quick review of a zero-day vulnerability. These are flaws that are known, not only by the manufacturer or developer, but also have not been fixed. They are also known to anyone who may want to take advantage of them, such as cybercriminals.
Here are some examples of phishing emails exploiting the exploit:
Barracuda conducted an investigation into the flaw and determined that it was exploited by some of the aforementioned cybercriminals to target a specific group of email gateway appliances. The company informed the affected customers via the ESG user interface.
On May 30, 2023, Barracuda released a Preliminary Summary of Key Findings based on its investigation. This summary includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers.
According to the company's statement, the vulnerability has been exploited in real-world scenarios, with incidents dating back to at least October 2022.
Barracuda, with the assistance of Mandiant, discovered that the vulnerability was used to deploy malware on a subset of appliances, creating a persistent backdoor access.
It's been confirmed that the CVE-2023-2868 vulnerability was first exploited in October 2022. The malware families involved in the attacks are:
SALTWATER: This targets the Barracuda SMTP daemon (bsmtpd) and supports various capabilities like file uploads/downloads, command execution, and proxying/tunneling malicious traffic to evade detection.
SEASPY: An x64 ELF persistent backdoor that disguises itself as a legitimate Barracuda Networks service and pretends to be a PCAP filter, monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality.
SEASIDE: This establishes a reverse shell via SMTP HELO/EHLO commands sent through the malware's command and control (C2C) server.
Barracuda as well as CISA are advising users of the affected products to patch them immediately and to check networks for intrusions. For devices that were breached, they advise complete replacement of the ESG appliance.
Taking swift action is essential to mitigate any potential risks associated with this or any cybersecurity breach.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com
Comments