Email and network security company Barracuda is urging customers to immediately replace their hacked Email Security Gateway (ESG) appliances, which were targeted in attacks exploiting a now-patched zero-day vulnerability. The company stated in an update to its initial advisory, "Impacted ESG appliances must be immediately replaced regardless of patch version level." Barracuda's current remediation recommendation is the full replacement of affected ESGs.
According to the company, customers with breached ESGs have already been notified through the user interface of the compromised devices. They are urging customers who have not yet replaced their appliances to urgently contact support via email. This warning follows the patching of the critical Barracuda ESG remote command injection flaw, tracked as CVE-2023-2868, which was remotely fixed on May 20. The attackers' access to the compromised appliances was terminated one day later by deploying a dedicated script.
On May 24, Barracuda informed customers that their ESG appliances might have been breached via the CVE-2023-2868 bug and advised them to investigate their environments for signs of intrusion. A spokesperson for Barracuda was not immediately available for comment when asked for additional details on why a complete ESG replacement is necessary.
Before being patched, the Barracuda ESG bug was exploited as a zero-day for at least seven months to backdoor customers' ESG appliances with custom malware and steal data. The company disclosed this information one week ago, revealing that the vulnerability was first used in October 2022 to breach "a subset of ESG appliances" and install malware, which provided the attackers with persistent access to the compromised devices. The threat actors deployed Saltwater malware to backdoor the infected appliances and a malicious tool called SeaSide to establish reverse shells for easy remote access via SMTP HELO/EHLO commands. They then used this access to steal information from the backdoored appliances.
The Cybersecurity and Infrastructure Security Agency (CISA) has also added the CVE-2023-2868 vulnerability to its catalog of bugs exploited in attacks, warning federal agencies with ESG appliances to check their networks for evidence of breaches. Barracuda claims that its products are used by over 200,000 organizations, including high-profile companies such as Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz.