Enterprise security firm Barracuda revealed on Tuesday that a recently patched zero-day flaw in Email Security Gateway (ESG) equipment has been abused by threat actors since October 2022 to open device backdoors.
The flaw, which Barracuda identified on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to achieve code execution on a vulnerable installation. Patches were released by Barracuda on May 20 and May 21.
“CVE-2023-2868 used to gain unauthorized access to a subset of ESG equipment,” email and network security firm said in the updated advice.
“Malware was identified on the subset of equipment that allowed perpetual backdoor access. Evidence of data exfiltration was identified on the affected subset of equipment.”
Three different malware strains have been discovered to date –
- SALT WATER – A trojanized module for the Barracuda SMTP daemon (bsmtpd) equipped to upload or download arbitrary files, execute commands, as well as proxy and direct malicious traffic to fly under the radar.
- SEASpy – ELF backdoor x64 that offers persistence ability and is activated via a magic pack.
- SEASIDE – The Lua-based module for bsmtpd creates a reverse shell via SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.
Source code overlap has been identified between SEASPY and cd00r, according to Google-owned Mandiant, which is investigating the incident. The attack has not been linked to any known threat actor or group.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
The US Cyber and Infrastructure Security Agency (CISA), last week, also added the bug to its Exploited Vulnerabilities Catalog (KEV), urging federal agencies to implement a fix by June 16, 2023.
Barracuda did not disclose how many organizations were breached, but noted that they were contacted directly with mitigation guidance. It also warned that an ongoing investigation could uncover additional users.