31 May 2023

Hackers had been exploiting Barracuda zero-day since fall 2022


Hackers had been exploiting Barracuda zero-day since fall 2022

US-based email and network security solutions provider Barracuda Networks revealed that threat actors had been exploiting a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances for nearly eight months to backdoor devices.

Tracked as CVE-2023-2868, the flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system.

The vulnerability was identified on May 19 and a security patch to address the bug was applied to all ESG appliances worldwide on May 20, 2023. The vulnerability resided in a module which initially screens the attachments of incoming emails. Other Barracuda’s products, including SaaS email security services, are not affected.

While the investigation is still ingoing, the company found evidence indicating that said zero-day had been exploited since October 2022, with hackers installing malware on a subset of compromised devices. The attackers are also said to have exfiltrated data from impacted appliances.

An analysis showed that the attack involved three trojanized modules:

  • Saltwater - a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of Saltwater include the ability to upload or download arbitrary files, execute commands, as well as proxy and tunneling capabilities.

  • Seaspy - an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). Seaspy also contains backdoor functionality that is activated by a "magic packet". Cybersecurity firm Mandiant found code overlap with a publicly available backdoor called ‘cd00r.’

  • Seaside - a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell.

Barracuda has shared Indicators of Compromise (IoCs) and Yara rules to help defenders hunt for this threat.

Back to the list

Latest Posts

US authorities charge two Russians with 2011 Mt. Gox hack

US authorities charge two Russians with 2011 Mt. Gox hack

Bilyuchenko and Verner allegedly stole about 647,000 bitcoins from Mt. Gox between September 2011 through at least May 2014.
12 June 2023
Pro-Ukraine hackers take down Russian telco, disrupt banking operations

Pro-Ukraine hackers take down Russian telco, disrupt banking operations

The breach at Infotel is said to have impacted multiple major banks across Russia who were unable to make online payments for more than a day.
12 June 2023
Cyber security week in review: June 9, 2023

Cyber security week in review: June 9, 2023

The world in brief: Clop likely has been exploiting the MOVEit 0Day since 2021, over $35M in crypto stolen in the Atomic Wallet hack, and more.
9 June 2023
Popular Posts
Featured vulnerabilities
Denial of service in Juniper IDP on SRX and MX Series routers
Medium Patched | 02 Oct, 2023
Cross-site scripting in TIBCO Nimbus
Low Patched | 02 Oct, 2023
Denial of service in Rockwell Automation PanelView 800
Low Patched | 02 Oct, 2023
Multiple vulnerabilities in DEXMA DexGate
Medium Not Patched | 02 Oct, 2023
OS Command Injection in IBM CICS TX Standard
High Patched | 02 Oct, 2023