Hackers exploited Barracuda's 0-day vulnerability for up to 7 months

Enterprise security firm Barracuda May 30, 2023 revealed that since October 2022, threat actors have abused a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances to set up a backdoor to the devices.

The latest findings indicate that the critical vulnerability, tracked as CVE-2023-2868 (CVSS rating: N/A), had been exploited for at least seven months prior to its discovery.

The vulnerability, discovered by Barracuda on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to execute code on a vulnerable installation. Barracuda issued patches on May 20 and May 21.

In an updated advisory, the network and email security company said CVE-2023-2868 was used to gain unauthorized access to a subset of ESG devices. They found malware on a subset of devices that allowed persistent backdoor access and evidence of a data breach on a subset of affected devices.

To date, they have found three different malware variants.

路 SALTWATER - A Trojanized module of the Barracuda SMTP daemon (bsmtpd), equipped to upload or download arbitrary files, execute commands, and proxy and tunnel malicious traffic to fly under the radar.

路 SEASPY - An x64 ELF backdoor that provides persistent functionality and is activated via the magic packet.

路 SEASIDE - A Lua-based module of bsmtpd that builds reverse shells via SMTP HELO/EHLO commands sent by the malware's command and control (C2) server.

According to Google-owned Mandiant, which is investigating the incident, it has been determined that there is a source code overlap between SEASPY and the open source backdoor called cd00r. The attacks have not been attributed to a known threat actor or group.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog last week, urging federal agencies to apply fixes by June 16, 2023.

Barracuda did not disclose how many organizations were compromised, but noted that they contacted the mitigation guidance directly. It also warned that an ongoing investigation may uncover other users who may have been affected.