Barracuda, a network and email security firm, has announced that a recently patched zero-day vulnerability had been exploited for a minimum of seven months to backdoor customers' Email Security Gateway (ESG) appliances with custom malware and steal data. According to the company, an ongoing investigation discovered that the vulnerability (tracked as CVE-2023-2868) was first exploited in October 2022 to gain access to a subset of ESG appliances and deploy backdoors designed to provide the attackers with persistent access to the compromised systems. Barracuda also found evidence that the threat actors stole information from the backdoored ESG appliances.
The security flaw was identified on May 19, one day after Barracuda was alerted of suspicious traffic from ESG appliances and enlisted the help of cybersecurity firm Mandiant for the investigation. The company addressed the issue on May 20 by applying a security patch to all ESG appliances and blocked the attackers' access to the compromised devices the following day with a dedicated script. On May 24, Barracuda warned customers that their ESG appliances might have been breached using the now-patched zero-day bug, advising them to investigate their environments, likely to ensure the attackers did not move laterally to other devices on their networks.
In a statement, Barracuda said, "A series of security patches are being deployed to all appliances in furtherance of our containment strategy. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers." The Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-2868 flaw to its list of known exploited vulnerabilities on Friday, presumably as a warning to federal agencies using ESG appliances to check their networks for signs of intrusions stemming from their compromise.
During the investigation, several previously unknown malware strains were discovered, specifically designed to be used on compromised Email Security Gateway products. The first, called Saltwater, is a trojanized Barracuda SMTP daemon (bsmtpd) module that provides attackers backdoor access to infected appliances. Its features include the ability to execute commands on compromised devices, transfer files, and proxy/tunnel the attackers' malicious traffic to help evade detection. Another malware strain deployed during this campaign and named SeaSpy provides persistence and can be activated using "magic packets." SeaSpy helps monitor port 25 (SMTP) traffic, and some of its code overlaps with the publicly available cd00r passive backdoor. The threat actors also used a bsmtpd malicious module called SeaSide to establish reverse shells via SMTP HELO/EHLO commands sent through the malware's command-and-control (C2) server.
Barracuda advises customers to check if their ESG appliances are up-to-date, stop using breached appliances and request a new virtual or hardware appliance, rotate all credentials linked to hacked appliances, and check their network logs for IOCs shared today and for connections from unknown IPs. The company states that its products are used by over 200,000 organizations, including high-profile companies like Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz.