The Federal Bureau of Investigation (FBI) has issued a warning regarding the ongoing risk posed to Barracuda Networks Email Security Gateway (ESG) appliances, despite recent patches deployed in response to a critical vulnerability. This advisory indicates that while Barracuda has addressed the flaw, the devices remain susceptible to exploitation by suspected Chinese hacking groups.
The FBI has classified the patches as “ineffective,” highlighting that active intrusions persist, suggesting that all affected Barracuda ESG appliances should be considered compromised. This vulnerability, tracked as CVE-2023-2868, features a severe CVSS score of 9.8, and reports suggest it may have been weaponized as early as October 2022—seven months before the official patch was applied. The cybersecurity firm Mandiant, owned by Google, is currently monitoring related activities under the alias UNC4841, noting their sophistication and aggressive strategies.
The vulnerability itself, identified as a remote command injection flaw, affects ESG versions from 5.1.3.001 to 9.2.0.006 and allows unauthorized execution of system commands at an administrator level. Through these breaches, attackers have been observed deploying various malware strains, including SALTWATER, SEASIDE, and SUBMARINE, which facilitate command execution and evasion of security measures.
FBI insights suggest that these cyber adversaries have exploited this vulnerability to implant malicious payloads within ESG appliances. Such actions provide them with persistent access, email scanning capabilities, credential harvesting avenues, and data exfiltration mechanisms. The aggressive nature of the UNC4841 group points to a calculated methodology in maintaining their access to high-value targets.
In light of these ongoing threats, the FBI recommends that organizations immediately isolate and replace any affected ESG devices, as well as conduct comprehensive scans of their networks for suspicious outbound communications. Ignoring these recommendations could leave businesses vulnerable to continued exploitation and data breaches.
Barracuda Networks has responded to the incident by advising impacted customers to replace their compromised appliances as part of their containment approach. The company indicated that those who receive a user interface notification or have been contacted by their support team should reach out to Barracuda for appliance replacement at no cost. They have already begun notifying affected clients and have reiterated that only a select number of ESG appliances have been compromised.
From an attack perspective, techniques associated with the MITRE ATT&CK framework that may apply here include initial access via exploitation of vulnerabilities, persistence through the deployment of malware for ongoing access, and privilege escalation through the unauthorized command execution capabilities enabled by the flaw. Organizations should remain vigilant and proactive in addressing these issues to fortify their defenses against evolving cyber threats.
