Critical Barracuda 0-day used to Backdoor Networks for 8 Months

[upnorth]

Content source

https://arstechnica.com/information-technology/2023/05/critical-barracuda-0-day-was-used-to-backdoor-networks-for-8-months/

A critical vulnerability patched 10 days ago in widely used email software from IT security company Barracuda Networks has been under active exploitation since October. The vulnerability has been used to install multiple pieces of malware inside large organization networks and steal data, Barracuda said Tuesday.

The software bug, tracked as CVE-2023-2868, is a remote-command injection vulnerability that stems from incomplete input validation of user-supplied .tar files, which are used to pack or archive multiple files. When file names are formatted in a particular way, an attacker can execute system commands through the QX operator, a function in the Perl programming language that handles quotation marks. The vulnerability is present in the Barracuda Email Security Gateway versions 5.1.3.001 through 9.2.0.006; Barracuda issued a patch 10 days ago. On Tuesday, Barracuda notified customers that CVE-2023-2868 has been under active exploitation since October in attacks that allowed threat actors to install multiple pieces of malware for use in exfiltrating sensitive data out of infected networks. “Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” Tuesday’s notice stated. “Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.”

Malware identified to date includes packages tracked as Saltwater, Seaside, and Seaspy. Saltwater is a malicious module for the SMTP daemon (bsmtpd) that the Barracuda ESG uses. The module contains backdoor functionality that includes the ability to upload or download arbitrary files, execute commands, and provide proxy and tunneling capabilities. Seaside is an x64 executable in ELF (executable and linkable format), which stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. It provides a persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter for capturing data packets flowing through a network and performing various operations. Seaside monitors tracking on port 25, which is used for SMTP-based email. It can be activated using a “magic packet” that’s known only to the attacker but appears innocuous to all others.

Critical Barracuda 0-day was used to backdoor networks for 8 months

Attackers then went on to steal data from infected systems.

arstechnica.com

 

[upnorth]

Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately. The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May 30 disclosure. A patch was released on May 20, but by June 6 it was determined the patch and subsequent script pushed out to counter unauthorized access weren't enough to secure impacted ESG devices, according to the advisory.

"Impacted ESG appliances must be immediately replaced regardless of patch version level," Barracuda warned its customers in an update. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." Barracuda determined some infected devices maintained persistent backdoor access, with some presenting evidence of data exfiltration, even after patching.

Barracuda Warns ESG Appliances Need Urgent Rip & Replace

Patching, wiping ESG devices not enough to deny threat actor access following compromise, Barracuda says.

www.darkreading.com

 

[[correlate]]

A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022.
"UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," Google-owned Mandiant said in a new report published today, describing the group as "aggressive and skilled."

Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway

Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway | Read more hacking news on The Hacker News cybersecurity news website and learn how to protect against cyberattacks and software vulnerabilities.

thehackernews.com

 

[upnorth]

IT security teams may find themselves soon underwater, so to speak, thanks to dangerous new malware dubbed "Submarine" that is zeroing in a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) appliances.

A China-nexus threat actor tracked as UNC4841 has been dropping multiple payloads on vulnerable Barracuda appliances over the past several months in an attempt to get around email security at targeted organizations - part of a seemingly unflagging cyber espionage campaign that likely stretches back to October. Submarine is one of four backdoors that researchers have observed being used in the cyberattacks so far. Austin Larsen, senior incident response consultant with Mandiant, says Submarine (aka Depthcharge) is different and distinct from the other three backdoors in that it specifically obtains root privileges on an SQL database on Barracuda ESG appliances, and only on "priority" victims.

CISA: 'Submarine' Backdoor Torpedoes Barracuda Email Security

A China-nexus cyber-espionage campaign rages on with the fourth backdoor to surface in the wild that takes advantage of the CVE-2023-2868 zero-day security bug — with severe threat of lateral movement, CISA warns.

www.darkreading.com

 

[Freki123]

It seems you better start looking for a another brand to buy

Through an investigation of the Barracuda ESG appliance compromise, the FBI discovered additional indicators of compromise as well as independently verified many of the indicators of
compromise in the public domain. Barracuda customers should remove all ESG appliances immediately. The patches released by Barracuda in response to this CVE were ineffective.
The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.

Internet Crime Complaint Center(IC3) | Home Page No direct linking possible sorry.
hXXps://www.ic3.gov/Media/News/2023/230823.pdf FBI warning about it

 

[[correlate]]

The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups.

Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches

Alert! FBI warns that the recent patches for Barracuda Networks Email Security Gateway are ineffective against a critical flaw.

thehackernews.com