New research on a now patched zero-day bug in Barracuda Networks’ email security gateway, which went unpatched and exploited for months, reveals three previously unknown malicious payloads used in the attacks. Meanwhile, adversaries behind the cyberattack remain elusive.
Barracuda Networks disclosed the critical vulnerability (CVE-2023-2868) on May 19 and applied a series of patches to its affected ESG appliances the following day. The remote command injection vulnerability, with a CVSS base score of 9.4, was found in a module within the appliance used to screen attachments to incoming emails.
"If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take," advised Barracuda in a statement.
What an outside analysis of CVE-2023-2868 found
Barracuda hired cybersecurity firm Mandiant to assist with an investigation into the incident and published an update outlining its initial findings on May 30.
It said evidence had been found that the vulnerability had been exploited as far back as October 2022. The exploit had allowed malware to be dropped on some of the appliances, enabling the attackers to gain persistent backdoor access.
“Evidence of data exfiltration was identified on a subset of impacted appliances,” Barracuda said in the update.
“The vulnerability stemmed from incomplete input validation of user supplied .tar (tape archive) files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.”
One of the three malware payloads identified so far had been labeled SaltWater and was described as a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contained backdoor functionality. Its capabilities included uploading or downloading files, executing commands, and carry out proxying and tunneling activities.
Attribution and payload analysis
Mandiant was continuing to analyze SaltWater to determine if its characteristics overlapped with any known malware families, Barracuda said.
The second payload, SeaSpy, was “an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP (packet capture) filter, specifically monitoring traffic on port 25 (SMTP).”
Mandiant’s analysis had identified shared code between SeaSpy and cd00r, a long-established publicly available backdoor.
The third piece of malware, SeaSide, was a Lua-based module used to connect to the attackers’ command-and-control server to establish a reverse shell for accessing the system.
Barracuda’s update provided details of indicators of compromise associated with the attack and YARA rules that could be applied by appliance operators to hunt for the malicious .tar files that exploited the vulnerability.
Customers who discovered their ESG appliances were compromised should stop using them and contact Barracuda support to obtain a new one, according to the company.
Barracuda said none of its other products, including its SaaS email security services, were prone to the vulnerability.
The Barracuda timeline of the vulnerability is:
- On May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway (ESG) appliances.
- On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation.
- On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance (ESG).
- On May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide.
- On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods.
- A series of security patches are being deployed to all appliances in furtherance of our containment strategy.
(Timeline above is an excerpt from the Barracuda Networks blog post)