Network and email security provider, Barracuda, has revealed that a zero-day vulnerability, known as Barracuda Zero-Day (CVE-2023-2868), was exploited over a period of seven months.
The attackers leveraged this vulnerability to backdoor customers’ Email Security Gateway (ESG) appliances, deploying custom malware and stealing sensitive data.
Initial Exploitation and Data Breach
The exploitation of the zero-day bug began in October 2022, enabling unauthorized access to a subset of ESG appliances.
The attackers utilized backdoors to maintain persistent access to compromised systems. Barracuda’s investigation also uncovered evidence of information theft from the compromised ESG appliances.
Detection and Mitigation Measures
Barracuda became aware of the security flaw on May 19 when suspicious traffic from ESG appliances was detected. In response, the company engaged the cybersecurity firm Mandiant to assist in the investigation.
On May 20, Barracuda promptly applied a security patch to all ESG appliances and the attackers’ access to compromised devices was blocked on May 21 through the deployment of a dedicated script.
Customer Notification and Containment Strategy
To ensure the security of its customers, Barracuda issued a warning on May 24, advising them to investigate their environments and check for possible lateral movement of attackers within their networks.
The company also initiated a series of security patches across all appliances as part of its containment strategy. Affected users were notified via the ESG user interface and provided with specific instructions to address the issue.
Concerns for Federal Agencies and Custom-Tailored Malware
Recognizing the severity of the situation, the Cybersecurity and Infrastructure Security Agency (CISA) included the CVE-2023-2868 vulnerability on its list of exploited vulnerabilities, urging federal agencies to examine their networks for signs of compromise stemming from the exploitation of ESG appliances.
During the investigation, Barracuda uncovered multiple previously unknown malware strains specifically tailored for compromising Email Security Gateway products.
One such strain, called Saltwater, is a trojanized Barracuda SMTP daemon module that grants backdoor access to infected appliances. Additional malware strains, including SeaSpy and SeaSide, were identified and found to provide persistence and establish reverse shells via SMTP HELO/EHLO commands.
Recommendations for Affected Customers
To mitigate the impact of the breach, Barracuda recommends the following actions for affected customers:
- Ensure ESG appliances are up-to-date.
- Cease using compromised appliances and request new virtual or hardware appliances.
- Rotate all credentials associated with compromised appliances.
- Review network logs for Indicators of Compromise (IOCs) shared by Barracuda.
- Monitor connections from unknown IPs.
Barracuda’s Wide User Base Barracuda’s products are widely used, with over 200,000 organizations relying on their network and email security solutions. Prominent companies such as Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz are among Barracuda’s customer base.
The Impact and Ongoing Response
The exploitation of the Barracuda Zero-Day vulnerability raises significant concerns regarding the security and integrity of affected organizations’ data.
The long duration of the breach indicates the sophistication and persistence of the threat actors involved. Barracuda’s ongoing response includes a thorough investigation to assess the extent of the data compromise and the implementation of necessary security measures to prevent future incidents.
Enhanced Security Measures and Customer Support
Barracuda is committed to improving the security of its products and preventing similar incidents in the future. In addition to deploying security patches and containment strategies, the company is actively working with its customers to provide guidance and support.
Users whose appliances are believed to be impacted have been notified through the ESG user interface and offered assistance in addressing the breach.
Industry-Wide Concerns and Collaboration
The discovery of the Barracuda Zero-Day exploit has raised concerns across the cybersecurity industry. It serves as a reminder of the constant threat posed by sophisticated attackers and the importance of regular security updates and monitoring.
Collaboration between security firms, such as Barracuda and Mandiant, is crucial in promptly identifying and mitigating such vulnerabilities to protect organizations and their valuable data.
The exploitation of the Barracuda Zero-Day vulnerability for an extended period highlights the need for continuous vigilance in the face of evolving cyber threats.
Barracuda’s swift response and collaboration with cybersecurity experts demonstrate their commitment to addressing the issue and safeguarding their customers’ environments.
As the investigation progresses, affected organizations should follow the recommended mitigation steps and remain proactive in securing their networks to mitigate potential risks.
You may also like
