Barracuda Email Security Gateway Application (ESG) Vulnerability- CVE-2023-2868

Defensestorm is aware of the recent disclosure of the Barracuda Email Security Gateway Application (ESG) Vulnerability and has been actively monitoring for potential Indications of Compromise.

As discussed, guidance by Barracuda was released on May 31, 2023, and reiterated on June 6, 2023, they recommend immediate replacement of compromised ESG appliances, regardless of patch level.

If you have not replaced your appliance after receiving notice of compromise in your Barracuda UI, contact Barracuda support (support@barracuda.com).

For additional information about this vulnerability, please reference the following page:

• hxxps://www.barracuda.com/company/legal/esg-vulnerability

Summary 

Barracuda disclosed that a patched zero-day flaw has been abused by threat actors since October 2022 to backdoor the devices via the Email Security Gateway (ESG) appliances. This flaw, identified as affected versions 5.1.3.001 through 9.2.0.006, could allow an attacker to remotely achieve code execution on susceptible installs. Barracuda released patches on May 20th and May 21st.

 According to Barracuda’s updated advisory, CVE-2023-2868 “was utilized to obtain unauthorized access to a subset of ESG appliances” (hxxps://www.barracuda.com/company/legal/esg-vulnerability). To date, there have been three malware strains discovered: Saltwater, Seaspy, and Seaside.

• SALTWATER – A trojanized module for the Barracuda SMTP daemon (bsmtpd) that’s equipped to upload or download arbitrary files, execute commands as well as proxy and tunnel malicious traffic to fly under the radar. 
• SEASPY – An x64 ELF backdoor that offers persistence capabilities and is activated by means of a magic packet. Source code overlaps have been identified between SEASPY and an open source backdoor called cd00r.  
• SEASIDE – A Lua based module for bsmtpdestablish reverse shells via SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.  

(hxxps://thehackernews.com/2023/05/alert-hackers-exploit-barracuda-email.html)

  While the investigation into this vulnerability continues, Barracuda has disclosed the following  information:

• The vulnerability existed in a module that initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified. 
• The earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. 
• Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.  
• Malware identified on a subset of appliances allowing for persistent backdoor access 
• Evidence of data exfiltration was identified on a subset of impacted appliances. 

(httxs://www.barracuda.com/company/legal/esg-vulnerability)

DefenseStorm Response 

DefenseStorm has already identified and uploaded numerous IOCs related to this vulnerability into its ThreatMatch Feed. We are currently investigating additional IOCs/IOAs that are related to this incident and will upload any discovered accordingly.

Sources:

1. hxxps://thehackernews.com/2023/05/alert-hackers-exploit-barracuda-email.html
2. hxxps://www.barracuda.com/company/legal/esg-vulnerability
3. hxxp://www.barracuda.com/company/legal/esg-vulnerability