FBI: Patches for Barracuda ESG Zero-Day CVE-2023-2868 are ineffective

The FBI warned that patches for a critical Barracuda ESG flaw CVE-2023-2868 are “ineffective” and patched appliances are still being hacked.

The Federal Bureau of Investigation warned that security patches for critical vulnerability CVE-2023-2868 in Barracuda Email Security Gateway (ESG) are “ineffective.” According to the feds, threat actors are still hacking the patched appliances in ongoing hacking campaigns.

At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.

The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.

Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.

The company confirmed that the CVE-2023-2868 was first exploited in October 2022.

The families of malware employed in the attacks are:

• SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
• SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
• SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.

In early June the company urged customers to immediately replace the ESG appliances, regardless of patch version level.

“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).” urges the company. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

On May 28, US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.

CISA has since shared technical details about Submarine and Whirlpool malware families that were employed in attacks exploiting the above flaw.

Mandiant researchers linked the threat actor UNC4841 to the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.

According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances.

Once compromised the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances.

Today FBI published a new alert on the attacks exploiting this flaw, urging Barracuda’s customers to isolate and replace compromised appliances.

“The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.” states the alert published by the FBI. “In addition, customers should further investigate for any further compromise by conducting scans for outgoing connections using the list of indicators provided as the malicious cyber actors have demonstrated the ability to compromise email accounts and computer networks, as well as maintain persistence in victim networks for continued future operations and data exfiltration.”

The FBI also recommends Barracuda customers to scan their networks for potential additional compromise. The experts suggest to check outbound connections to IPs in the list of indicators of compromise (IOCs) shared in the advisory.

The alert also urges those who used enterprise-privileged credentials with their Barracuda appliances to revoke and rotate them to prevent that attackers can maintain persistence in compromised networks.

Below are the investigation steps recommended by FBI:

• Review email logs to identify the initial point of exposure;
• Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise;
• Revoke and reissue all certificates that were on the ESG at the time of compromise
• Monitor entire network for the use of credentials that were on the ESG at the time of compromise;
• Review network logs for signs of data exfiltration and lateral movement;
• Capture forensic image of the appliance and conduct a forensic analysis.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Barracuda ESG)