FBI Declares Barracuda ESG Zero-Day Patches Ineffective

August 24, 2023

The Federal Bureau of Investigation (FBI) has stated that the patches Barracuda released in May for an exploited ESG zero-day vulnerability were ineffective. The vulnerability, identified as CVE-2023-2868, affects Barracuda ESG versions from 5.1.3.001 to 9.2.0.006 and has been exploited as a zero-day since October 2022. The FBI has advised organizations to immediately disconnect all ESG appliances due to the ongoing attacks.

The cyberespionage group UNC4841, believed to be sponsored by the Chinese state, was identified by Mandiant in June as the group behind the attacks exploiting CVE-2023-2868. The Cybersecurity and Infrastructure Security Agency (CISA) has since July released several analysis reports detailing the payloads and malware families used in these attacks.

The FBI has now issued a warning that the vulnerability is still being exploited, with ESG appliances running the patches from Barracuda still at risk. The FBI has strongly advised that all affected ESG appliances be isolated and replaced immediately, and all networks be scanned for connections to the provided list of indicators of compromise.

The vulnerability in question affects the email scanning functionality of Barracuda ESG, allowing adversaries to exploit it by sending emails with crafted TAR file attachments, triggering a command injection. The threat actors have deployed various types of malware on the affected ESG appliances, enabling them to scan emails, harvest credentials, exfiltrate data, and maintain persistent access. In some cases, the compromised ESG has been used for lateral movement within the victim's network, or to send malicious emails to other appliances.

The FBI has emphasized that the patches released by Barracuda in response to this vulnerability were ineffective and considers all affected Barracuda ESG appliances to be compromised and vulnerable. The agency advises organizations to not only scan the appliance itself for indicators of compromise but also scan for outgoing connections, review email logs, rotate credentials, revoke and reissue associated certificates, review network logs, and monitor the entire network for abnormal activity.

Mandiant CEO Kevin Mandia confirmed that UNC4841 has changed its tactics since the initial report on this activity. He said, "Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide." He further added that these types of attacks highlight a significant shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.