Critical Barracuda 0-day used to Backdoor Networks for 8 Months

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
A critical vulnerability patched 10 days ago in widely used email software from IT security company Barracuda Networks has been under active exploitation since October. The vulnerability has been used to install multiple pieces of malware inside large organization networks and steal data, Barracuda said Tuesday.

The software bug, tracked as CVE-2023-2868, is a remote-command injection vulnerability that stems from incomplete input validation of user-supplied .tar files, which are used to pack or archive multiple files. When file names are formatted in a particular way, an attacker can execute system commands through the QX operator, a function in the Perl programming language that handles quotation marks. The vulnerability is present in the Barracuda Email Security Gateway versions 5.1.3.001 through 9.2.0.006; Barracuda issued a patch 10 days ago. On Tuesday, Barracuda notified customers that CVE-2023-2868 has been under active exploitation since October in attacks that allowed threat actors to install multiple pieces of malware for use in exfiltrating sensitive data out of infected networks. “Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” Tuesday’s notice stated. “Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.”

Malware identified to date includes packages tracked as Saltwater, Seaside, and Seaspy. Saltwater is a malicious module for the SMTP daemon (bsmtpd) that the Barracuda ESG uses. The module contains backdoor functionality that includes the ability to upload or download arbitrary files, execute commands, and provide proxy and tunneling capabilities. Seaside is an x64 executable in ELF (executable and linkable format), which stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. It provides a persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter for capturing data packets flowing through a network and performing various operations. Seaside monitors tracking on port 25, which is used for SMTP-based email. It can be activated using a “magic packet” that’s known only to the attacker but appears innocuous to all others.
 

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately. The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May 30 disclosure. A patch was released on May 20, but by June 6 it was determined the patch and subsequent script pushed out to counter unauthorized access weren't enough to secure impacted ESG devices, according to the advisory.

"Impacted ESG appliances must be immediately replaced regardless of patch version level," Barracuda warned its customers in an update. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." Barracuda determined some infected devices maintained persistent backdoor access, with some presenting evidence of data exfiltration, even after patching.
 

[correlate]

Level 18
Verified
Top Poster
Well-known
May 4, 2019
825
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022.
"UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," Google-owned Mandiant said in a new report published today, describing the group as "aggressive and skilled."
 

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
IT security teams may find themselves soon underwater, so to speak, thanks to dangerous new malware dubbed "Submarine" that is zeroing in a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) appliances.

A China-nexus threat actor tracked as UNC4841 has been dropping multiple payloads on vulnerable Barracuda appliances over the past several months in an attempt to get around email security at targeted organizations - part of a seemingly unflagging cyber espionage campaign that likely stretches back to October. Submarine is one of four backdoors that researchers have observed being used in the cyberattacks so far. Austin Larsen, senior incident response consultant with Mandiant, says Submarine (aka Depthcharge) is different and distinct from the other three backdoors in that it specifically obtains root privileges on an SQL database on Barracuda ESG appliances, and only on "priority" victims.
 
  • Like
Reactions: harlan4096

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
It seems you better start looking for a another brand to buy :D

Through an investigation of the Barracuda ESG appliance compromise, the FBI discovered additional indicators of compromise as well as independently verified many of the indicators of
compromise in the public domain. Barracuda customers should remove all ESG appliances immediately. The patches released by Barracuda in response to this CVE were ineffective.
The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.

Internet Crime Complaint Center(IC3) | Home Page No direct linking possible sorry.
hXXps://www.ic3.gov/Media/News/2023/230823.pdf FBI warning about it
 
Last edited:

[correlate]

Level 18
Verified
Top Poster
Well-known
May 4, 2019
825
The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top