FBI Declares Barracuda ESG Zero-Day Patches Ineffective

August 24, 2023

The Federal Bureau of Investigation (FBI) has stated that the patches Barracuda released in May for an exploited ESG zero-day vulnerability were ineffective. The vulnerability, identified as CVE-2023-2868, affects Barracuda ESG versions from 5.1.3.001 to 9.2.0.006 and has been exploited as a zero-day since October 2022. The FBI has advised organizations to immediately disconnect all ESG appliances due to the ongoing attacks.

The cyberespionage group UNC4841, believed to be sponsored by the Chinese state, was identified by Mandiant in June as the group behind the attacks exploiting CVE-2023-2868. The Cybersecurity and Infrastructure Security Agency (CISA) has since July released several analysis reports detailing the payloads and malware families used in these attacks.

The FBI has now issued a warning that the vulnerability is still being exploited, with ESG appliances running the patches from Barracuda still at risk. The FBI has strongly advised that all affected ESG appliances be isolated and replaced immediately, and all networks be scanned for connections to the provided list of indicators of compromise.

The vulnerability in question affects the email scanning functionality of Barracuda ESG, allowing adversaries to exploit it by sending emails with crafted TAR file attachments, triggering a command injection. The threat actors have deployed various types of malware on the affected ESG appliances, enabling them to scan emails, harvest credentials, exfiltrate data, and maintain persistent access. In some cases, the compromised ESG has been used for lateral movement within the victim's network, or to send malicious emails to other appliances.

The FBI has emphasized that the patches released by Barracuda in response to this vulnerability were ineffective and considers all affected Barracuda ESG appliances to be compromised and vulnerable. The agency advises organizations to not only scan the appliance itself for indicators of compromise but also scan for outgoing connections, review email logs, rotate credentials, revoke and reissue associated certificates, review network logs, and monitor the entire network for abnormal activity.

Mandiant CEO Kevin Mandia confirmed that UNC4841 has changed its tactics since the initial report on this activity. He said, "Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide." He further added that these types of attacks highlight a significant shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations.

Related News

• CISA Uncovers 'Whirlpool' Backdoor in Barracuda ESG Attacks
• CISA Investigates Malware Deployed in Barracuda ESG Attacks
• CISA Discovers New Submarine Malware in Hacked Barracuda ESG Appliances
• Chinese UNC4841 Group Targets Barracuda Email Security Gateway Zero-Day Vulnerability
• Barracuda Urges Immediate Replacement of Hacked ESG Appliances

Latest News

• Exploitation of WinRAR Zero-Day Vulnerability to Breach Cryptocurrency Trading Accounts
• Unpatched Openfire Servers at Risk Due to Recently Discovered Vulnerability
• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• CISA Adds Critical Adobe ColdFusion Vulnerability to Its Exploited Catalog
• Ivanti Releases Urgent Patch for Zero-Day Vulnerability in Sentry Gateway