Barracuda, the leading enterprise security company, has issued a warning to its clients regarding email security gateway (ESG) appliances that have been affected by a newly disclosed zero-day exploit. The company has urged its customers to replace the vulnerable appliances without delay. A patch was recently issued to stop the exploit from allowing ESG backdooring, however, customers using impacted ESG appliances are being advised to replace them despite the patches. Barracuda identified the vulnerability, dubbed CVE-2023-2868, on May 19, 2023. It reportedly affected versions 5.1.3.001 through 9.2.0.006 and allowed remote attackers to achieve code execution on susceptible installations.
Barracuda released patches on May 20 and May 21 for all ESG appliances worldwide, yet the company updated its advice to recommend full replacement of the impacted ESG appliance regardless of the patch status. “Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company said in an update.
According to the company, three different malware strains have been discovered to date on a subset of appliances, allowing for persistent backdoor access. Evidence of data exfiltration was identified on a subset of impacted appliances, the company said in a previous update. The different strains used — Saltwater, Seaspy, and Seaside — were all backdoor modules affecting data exfiltration. While both Saltwater and Seaside help establish a hack for the Barracuda SMTP daemon (bsmtpd) equipped to upload and download arbitrary files, execute commands, and tunnel malicious traffic, Seasspy is an x64 executable and linkable format (ELF) backdoor offering persistence capabilities, activated through a magic (remote, wake-on-LAN) packet.
The Google-owned cybersecurity intelligence firm Mandiant, which is investigating the incident, has revealed source code overlaps between Seaspy and an open-source backdoor called cd00r. At the moment, the attacks have not yet been attributed to any known threat actor or group.
Barracuda has notified users via the ESG user interface of actions to take if their appliances were impacted and also reached out to these specific customers. The company has confirmed that no other Barracuda products, including their SaaS email security services, were subject to the vulnerability identified.
The vulnerability was found in a module that initially screens the attachments of incoming emails. As email attachments remain a commons route for cyber-attackers to exploit, the recent cyber-attacks highlight yet again the importance of businesses using up-to-date security measures. Those businesses that do not promptly apply security patches risk much greater damage from data breaches and potentially far more significant and long-term security threats.
In conclusion, Barracuda has been advised its customers to replace impacted ESG appliances urgently, taking immediate action despite patches, due to the vulnerability CVE-2023-2868. The warning highlights the importance of businesses using robust and up-to-date cybersecurity measures to manage cyber risk and prevent data breaches. Meanwhile, cybersecurity intelligence firms continue to work tirelessly to safeguard businesses from cybercriminals.