Barracuda Networks Discloses Zero-Day Vulnerability Exploited Since October 2022
On Tuesday, Barracuda Networks, a prominent player in enterprise security, revealed that a critical zero-day vulnerability within its Email Security Gateway (ESG) appliances has been exploited by threat actors since October 2022. This significant security flaw allowed unauthorized access to systems and potentially led to persistent backdoor access, affecting numerous organizations.
The vulnerability, cataloged as CVE-2023-2868, has a history of exploitation that predates its identification, with recent findings indicating that it was actively used for approximately seven months before it came to the attention of Barracuda on May 19, 2023. The security flaw impacts versions 5.1.3.001 through 9.2.0.006 of Barracuda’s ESG. Subsequent patches were released promptly on May 20 and May 21, as the company sought to mitigate the risk. However, the ongoing investigation raises fears that numerous organizations could remain vulnerable.
Barracuda’s advisory notes that the exploited vulnerability provided an avenue for remote attackers to execute arbitrary code on affected installations. Malware analysis has confirmed that three distinct strains were deployed, with each exhibiting unique capabilities designed to target and compromise ESG appliances. One of the identified malware variants, known as SALTWATER, operates as a trojanized module that enables the uploading and downloading of arbitrary files while allowing the execution of commands and tunneling of malicious traffic undetected.
Another strain, SEASPY, serves as an x64 ELF backdoor, and it can maintain persistence on compromised systems, activated by a special signal known as a magic packet. Additionally, the SEASIDE malware functions as a Lua-based module designed to establish reverse shells via SMTP commands sent from the attacker’s command-and-control server.
Interestingly, a forensic analysis by Mandiant, a Google-owned cybersecurity firm, has revealed source code similarities between SEASPY and an open-source backdoor named cd00r. However, the specific responsible actor or threat group behind these attacks remains unidentified.
In response to the growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has incorporated this zero-day vulnerability into its Known Exploited Vulnerabilities (KEV) catalog. CISA has also advised federal agencies to implement the available patches by June 16, 2023, emphasizing the urgent need for protective measures.
While Barracuda has not disclosed the number of organizations impacted, the company has been proactive in reaching out to potentially affected users with mitigation guidance. The ongoing investigation indicates that further vulnerabilities may be uncovered as they delve deeper into the compromised systems.
Given the exploitation timeline and nature of the attack, various tactics from the MITRE ATT&CK framework may have been employed. These include initial access methods through exploitation, persistence via malicious code installations, and potential privilege escalation through unauthorized command executions. Business owners should stay vigilant and ensure that their systems are updated to thwart such threats actively.