A recent zero-day vulnerability in Barracuda Networks Email Security Gateway (ESG) appliances has sparked concern among cybersecurity experts. The vulnerability, known as CVE-2023-2868, is a remote command injection vulnerability that allows unauthorized execution of system commands with administrator privileges on Barracuda ESG appliances.
This particular vulnerability affects ESG versions 5.1.3.001-9.2.0.006 in the appliance form factor. It is exploited during the email attachment screening process. Cyber attackers can format TAR file attachments in a specific manner and send them to an email address associated with a domain that uses an ESG appliance. When these malicious attachments are opened, they trigger a command injection that enables the execution of commands within the ESG with its privileges.
Evidence of exploitation of Barracuda ESG appliances by suspected People’s Republic of China (PRC) cyber actors emerged in October 2022. These cyber actors used emails with malicious attachments to target victims. Initially, the attachments had “.tar” extensions, but they later evolved to different formats like “.jpg” or “.dat.” Once the attachments were scanned, they established a connection to a domain or IP controlled by the attackers, establishing a reverse shell and allowing further commands on the ESG device.
After compromising the ESG appliances, the attackers injected various malicious payloads to gain persistent access, scan emails, harvest credentials, and exfiltrate data. What makes the situation even more concerning is that exploited ESG appliances remain at risk even after patches have been applied. As a result, the FBI is urging immediate isolation and replacement of affected ESG appliances.
The suspected PRC cyber actors utilized advanced techniques, including counter-forensics, making detection challenging for organizations. To identify potential compromises, networks must be scanned for connections that match the indicators of compromise provided by the FBI. The FBI has released a list of domains and IP addresses used by the attackers for malicious activities as a result of their investigation.
In response to this vulnerability, the cyber division of the FBI has published recommended mitigations for Barracuda users. These include the immediate removal of all ESG appliances, conducting scans for outgoing connections using the provided indicators, investigating and revoking compromised credentials, revoking and reissuing certificates that were present during the compromise, closely monitoring the entire network for signs of data exfiltration and lateral movement, and capturing forensic images for thorough analysis.
The discovery of the zero-day vulnerability in Barracuda Networks Email Security Gateway appliances has raised awareness about the potential risks faced by organizations relying on this technology. It serves as a reminder of the importance of regularly updating and patching systems to protect against emerging threats. By following the recommended mitigations and staying informed about the latest cybersecurity news, organizations can enhance their security posture and stay one step ahead of cyber attackers.