Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

May 31, 2023Ravie LakshmananNetwork Security / Zero Day

Enterprise security firm Barracuda revealed on Tuesday that a recently patched zero-day flaw in Email Security Gateway (ESG) equipment has been abused by threat actors since October 2022 to open device backdoors.

Latest findings indicates that a critical vulnerability, tracked as CVE-2023-2868 (CVSS Score: N/A), had been actively exploited for at least seven months prior to its discovery.

The flaw, which Barracuda identified on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to achieve code execution on a vulnerable installation. Patches were released by Barracuda on May 20 and May 21.

“CVE-2023-2868 used to gain unauthorized access to a subset of ESG equipment,” email and network security firm said in the updated advice.

“Malware was identified on the subset of equipment that allowed perpetual backdoor access. Evidence of data exfiltration was identified on the affected subset of equipment.”

Three different malware strains have been discovered to date –

• SALT WATER – A trojanized module for the Barracuda SMTP daemon (bsmtpd) equipped to upload or download arbitrary files, execute commands, as well as proxy and direct malicious traffic to fly under the radar.

• SEASpy – ELF backdoor x64 that offers persistence ability and is activated via a magic pack.

• SEASIDE – The Lua-based module for bsmtpd creates a reverse shell via SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.

Source code overlap has been identified between SEASPY and cd00r, according to Google-owned Mandiant, which is investigating the incident. The attack has not been linked to any known threat actor or group.

The US Cyber ​​and Infrastructure Security Agency (CISA), last week, also added the bug to its Exploited Vulnerabilities Catalog (KEV), urging federal agencies to implement a fix by June 16, 2023.

Barracuda did not disclose how many organizations were breached, but noted that they were contacted directly with mitigation guidance. It also warned that an ongoing investigation could uncover additional users.