Barracuda zero-day abused since 2022 to drop new malware, steal data

Image: Bing Image Creator

Network and email security firm Barracuda today revealed that a recently patched zero-day vulnerability had been exploited for at least seven months to backdoor customers' Email Security Gateway (ESG) appliances with custom malware and steal data.

The company says an ongoing investigation found that the bug (tracked as CVE-2023-2868) was first exploited in October 2022 to gain access to "a subset of ESG appliances" and deploy backdoors designed to provide the attackers with persistent access to the compromised systems.

Barracuda also discovered evidence that the threat actors stole information from the backdoored ESG appliances.

The security flaw was identified on May 19, one day after being alerted of suspicious traffic from ESG appliances and hiring cybersecurity firm Mandiant to help with the investigation.

The company addressed the issue on May 20 by applying a security patch to all ESG appliances and blocked the attackers' access to the compromised devices one day later by deploying a dedicated script.

On May 24, it warned customers that their ESG appliances might have been breached using the now-patched zero-day bug, advising them to investigate their environments, probably to ensure the attackers move laterally to other devices on their network.

"A series of security patches are being deployed to all appliances in furtherance of our containment strategy," Barracuda also said today.

"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers."

CISA added the CVE-2023-2868 flaw to its list of known exploited vulnerabilities on Friday, likely as a warning to federal agencies using ESG appliances to check their networks for signs of intrusions stemming from their compromise.

Custom-tailored malware deployed in the attack

Several previously unknown malware strains were found during the investigation, specifically designed to be used on compromised Email Security Gateway products.

The first, dubbed Saltwater, is a trojanized Barracuda SMTP daemon (bsmtpd) module that provides attackers backdoor access to infected appliances.

Its "features" include the ability to execute commands on compromised devices, transfer files, and proxy/tunnel the attackers' malicious traffic to help evade detection.

Another malware strain deployed during this campaign and dubbed SeaSpy provides persistence and can be activated using "magic packets." SeaSpy helps monitor port 25 (SMTP) traffic, and some of its code overlaps with the publicly available cd00r passive backdoor.

The threat actors also used a bsmtpd malicious module dubbed SeaSide to establish reverse shells via SMTP HELO/EHLO commands sent via the malware's command-and-control (C2) server.

Customers are advised to check if their ESG appliances are up-to-date, stop using breached appliances and request a new virtual or hardware appliance, rotate all credentials linked to hacked appliances, and check their network logs for IOCs shared today and for connections from unknown IPs.

Barracuda says its products are used by over 200,000 organizations, including high-profile companies like Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz.