Image: Bing Image Creator

Network and email security firm Barracuda today revealed that a recently patched zero-day vulnerability has been exploited for at least seven months to hijack customers’ Email Security Gateway (ESG) appliances with malware personalized and steal data.

The company says an ongoing investigation found that the bug (tracked as CVE-2023-2868) was first exploited in October 2022 to access “a subset of ESG appliances” and deploy backdoors designed to provide attackers with persistent access to the compromise. systems.

Barracuda also uncovered evidence that threat actors stole information about stolen ESG appliances.

The security flaw was identified on May 19a day after being alerted to suspicious traffic from ESG appliances and hiring cybersecurity firm Mandiant to help with the investigation.

The company addressed the issue on May 20 by applying a security patch to all ESG appliances and blocked attackers’ access to compromised devices a day later by deploying a dedicated script.

On May 24, he warned customers that their ESG appliances might have been breached using the now-patched zero-day bug, advising them to investigate their environments, likely to ensure attackers move laterally to other devices on their network.

“A series of security fixes are being rolled out to all appliances as part of our containment strategy,” Barracuda also said today.

“Users whose devices we believe have been impacted have been notified through the ESG UI of the action to be taken. Barracuda has also reached out to those specific customers.”

CISA added the CVE-2023-2868 flaw to its list of known exploited vulnerabilities Friday, likely as a warning to federal agencies using ESG appliances to check their networks for signs of intrusions resulting from their compromise.

Custom malware deployed in the attack

Several previously unknown malware strains were discovered during the investigation, specifically designed to be used on compromised Email Security Gateway products.

The first, dubbed Saltwater, is a Barracuda SMTP daemon (bsmtpd) module that provides attackers with backdoor access to infected devices.

Its “features” include the ability to run commands on compromised devices, transfer files, and proxy/tunnel attackers’ malicious traffic to help evade detection.

Another malware strain deployed during this campaign, dubbed SeaSpy, offers persistence and can be activated using “magic packets”. SeaSpy helps monitor port 25 (SMTP) traffic, and some of its code overlaps the publicly available cd00r passive backdoor.

Threat actors also used a malicious bsmtpd module called SeaSide to establish reverse shells via SMTP HELO/EHLO commands sent through the malware’s command and control (C2) server.

Customers are advised to check if their ESG appliances are up to date, stop using hacked appliances and request a new virtual or hardware appliance, rotate all credentials related to hacked appliances and check their logs network. for shared IOCs today and for connections from unknown IP addresses.

Barracuda says its products are used by more than 200,000 organizations, including leading companies like Samsung, Delta Airlines, Mitsubishi and Kraft Heinz.