Barracuda Networks zero-day has been exploited for 7 months to steal data
Customers urged to ensure email security gateway appliances are up-to-date, halt the use of compromised and refresh all credentials
Barracuda Networks has disclosed that a zero-day vulnerability in its Email Security Gateway (ESG) appliances had been exploited for at least seven months and used to steal data, before it was fixed earlier this month.
According to Barracuda's investigators, the vulnerability, tracked as CVE-2023-2868, was first exploited in October 2022 to introduce backdoors into some ESG appliances, allowing attackers to gain persistent access to the devices. Barracuda's investigations discovered that information had been stolen from some of the compromised appliances.
The security flaw was not identified until 19th May, when suspicious traffic was detected emanating from some ESG appliances. With the help of cybersecurity firm Mandiant, the vulnerability was located and all ESG appliances were patched on 20th May, with attackers' access to the compromised devices blocked on 21st May.
Barracuda informed its customers that their ESG appliances may have been breached. It also advised customers to secure other devices that might have been compromised by attackers through lateral movement.
"Barracuda's investigation was limited to the ESG product, and not the customer's specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take," it said.
Barracuda has urged customers to ensure their ESG appliances are up-to-date, halt the use of compromised appliances, request new virtual or hardware appliances from the company, refresh all credentials associated with the affected appliances, and check network logs for indicators of compromise and connections from unknown IPs.
Customers are advised to monitor developments via a status page on Barracuda Networks' website.
As part of its containment strategy, the company is deploying patches to all appliances, and has notified affected users through the ESG user interface.
During the investigation, several previously unknown malware strains specifically designed for compromised ESG appliances were discovered.
The first, dubbed "Saltwater", is a trojanised Barracuda SMTP daemon module that provides backdoor access to infected appliances. Another strain, which the researchers called "SeaSpy" and which bears similarities to the well-known passive backdoor cd00r, monitors SMTP traffic. A third module, "SeaSide" establishes reverse shells via SMTP HELO/EHLO commands sent through the malware's C2C server.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-2868 to its list of known exploited vulnerabilities, advising federal agencies using ESG appliances to check their networks for signs of intrusion resulting from the compromise.
Based in Campbell, California, Barracuda Networks is a network and email security vendor with 200,000 customers, including multinationals Kraft Heinz and Samsung, and West Nottinghamshire College, Rochdale Boroughwide Housing and Merseyrail in the UK.
The company is owned by venture capital group KKR, which purchased it from previous owner Thoma Bravo for around $4 billion in 2022.