THREAT ALERT

Barracuda Email Security Gateway Application (ESG) Vulnerability- CVE-2023-2868

Tuesday, June 6th, 2023

VIEW ALL THREAT ALERTS

DefenseStorm

Defensestorm is aware of the recent disclosure of the Barracuda Email Security Gateway Application (ESG) Vulnerability and has been actively monitoring for potential Indications of Compromise. 

Defensestorm is aware of the recent disclosure of the Barracuda Email Security Gateway Application (ESG) Vulnerability and has been actively monitoring for potential Indications of Compromise.

As discussed, guidance by Barracuda was released on May 31, 2023, and reiterated on June 6, 2023, they recommend immediate replacement of compromised ESG appliances, regardless of patch level.

If you have not replaced your appliance after receiving notice of compromise in your Barracuda UI, contact Barracuda support (support@barracuda.com).

For additional information about this vulnerability, please reference the following page:

  • hxxps://www.barracuda.com/company/legal/esg-vulnerability

Summary 

Barracuda disclosed that a patched zero-day flaw has been abused by threat actors since October 2022 to backdoor the devices via the Email Security Gateway (ESG) appliances. This flaw, identified as affected versions 5.1.3.001 through 9.2.0.006, could allow an attacker to remotely achieve code execution on susceptible installs. Barracuda released patches on May 20th and May 21st.

 According to Barracuda’s updated advisory, CVE-2023-2868 “was utilized to obtain unauthorized access to a subset of ESG appliances” (hxxps://www.barracuda.com/company/legal/esg-vulnerability). To date, there have been three malware strains discovered: Saltwater, Seaspy, and Seaside.

  • SALTWATER – A trojanized module for the Barracuda SMTP daemon (bsmtpd) that’s equipped to upload or download arbitrary files, execute commands as well as proxy and tunnel malicious traffic to fly under the radar. 
  • SEASPY – An x64 ELF backdoor that offers persistence capabilities and is activated by means of a magic packet. Source code overlaps have been identified between SEASPY and an open source backdoor called cd00r.  
  • SEASIDE – A Lua based module for bsmtpdestablish reverse shells via SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.  

(hxxps://thehackernews.com/2023/05/alert-hackers-exploit-barracuda-email.html)

  While the investigation into this vulnerability continues, Barracuda has disclosed the following  information:

  • The vulnerability existed in a module that initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified. 
  • The earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. 
  • Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.  
  • Malware identified on a subset of appliances allowing for persistent backdoor access 
  • Evidence of data exfiltration was identified on a subset of impacted appliances. 

(httxs://www.barracuda.com/company/legal/esg-vulnerability)

DefenseStorm Response 

DefenseStorm has already identified and uploaded numerous IOCs related to this vulnerability into its ThreatMatch Feed. We are currently investigating additional IOCs/IOAs that are related to this incident and will upload any discovered accordingly.

Sources:

  1. hxxps://thehackernews.com/2023/05/alert-hackers-exploit-barracuda-email.html
  2. hxxps://www.barracuda.com/company/legal/esg-vulnerability
  3. hxxp://www.barracuda.com/company/legal/esg-vulnerability

Desrah Kraft

Cyber Threat Intelligence Engineer

Desrah Kraft is a Cyber Threat Intelligence Engineer at DefenseStorm. For the past three years, she has played a vital role in leading and contributing to various Incident Response efforts. Before transitioning into cybersecurity, Desrah obtained a bachelor’s degree from Mitchell College and worked for 7 years in law enforcement. This experience helped her cultivate a comprehensive understanding of security principles and investigative practices. An accomplished cybersecurity professional with 4 years of hands-on experience in analyzing malware and extensive expertise in safeguarding digital landscapes against malicious threats, Desrah possesses an unparalleled ability to dissect complex cyber threats, identify their origins, and implement effective countermeasures. Additionally, she holds multiple MITRE certifications, which demonstrate her mastery of advanced threat detection and mitigation techniques. Recognized for her keen eye for anomalies and proactive approach, Desrah excels in Endpoint Detection and Response (EDR), enabling rapid identification, investigation, and containment of potential breaches. Committed to continuous growth and learning, Desrah remains at the forefront of cybersecurity, dedicated to fortifying digital infrastructures and inspiring others in the field.