Pierluigi Paganini
August 25, 2023
The Federal Bureau of Investigation warned that security patches for critical vulnerability CVE-2023-2868 in Barracuda Email Security Gateway (ESG) are “ineffective.” According to the feds, threat actors are still hacking the patched appliances in ongoing hacking campaigns.
At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.
Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.
The company confirmed that the CVE-2023-2868 was first exploited in October 2022.
The families of malware employed in the attacks are:
In early June the company urged customers to immediately replace the ESG appliances, regardless of patch version level.
“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).” urges the company. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
On May 28, US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.
CISA has since shared technical details about Submarine and Whirlpool malware families that were employed in attacks exploiting the above flaw.
Mandiant researchers linked the threat actor UNC4841 to the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.
According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances.
Once compromised the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances.
Today FBI published a new alert on the attacks exploiting this flaw, urging Barracuda’s customers to isolate and replace compromised appliances.
“The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.” states the alert published by the FBI. “In addition, customers should further investigate for any further compromise by conducting scans for outgoing connections using the list of indicators provided as the malicious cyber actors have demonstrated the ability to compromise email accounts and computer networks, as well as maintain persistence in victim networks for continued future operations and data exfiltration.”
The FBI also recommends Barracuda customers to scan their networks for potential additional compromise. The experts suggest to check outbound connections to IPs in the list of indicators of compromise (IOCs) shared in the advisory.
The alert also urges those who used enterprise-privileged credentials with their Barracuda appliances to revoke and rotate them to prevent that attackers can maintain persistence in compromised networks.
Below are the investigation steps recommended by FBI:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Barracuda ESG)
