Barracuda Networks has disclosed that a zero-day vulnerability in its Email Security Gateway (ESG) appliances had been exploited for at least seven months.
According to Barracuda’s investigators, the vulnerability CVE-2023-2868 was first exploited in October 2022 to introduce backdoors into some ESG appliances, allowing attackers to gain continued access to the devices. Barracuda’s investigations discovered that information had been stolen from some of the compromised appliances.
The security flaw was not spotted until 19 May, when suspicious traffic emanated from some ESG appliances. Cybersecurity firm Mandiant helped find the vulnerability and all ESG appliances were patched on 20th May, with attackers’ access to the compromised devices blocked on 21 May.
Barracuda informed its customers that their ESG appliances may have been breached. It advised customers to secure other devices that might have been compromised by attackers through lateral movement.
“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take,” it said.
Barracuda has urged customers to ensure their ESG appliances are up-to-date, halt the use of compromised appliances, request new virtual or hardware appliances from the company, refresh all credentials associated with the affected appliances, and check network logs for indicators of compromise and connections from unknown IPs.
To make matters worse, during the investigation, several previously unknown malware strains specifically designed for compromised ESG appliances were discovered.
“Saltwater” was a trojanised Barracuda SMTP daemon module that provides backdoor access to infected appliances. “SeaSpy” and which bears similarities to the well-known passive backdoor cd00r, monitors SMTP traffic. “SeaSide” establishes reverse shells via SMTP HELO/EHLO commands sent through the malware’s C2C server.
Barracuda Networks is a network and email security vendor with 200,000 customers, including multinationals Kraft Heinz and Samsung, and West Nottinghamshire College, Rochdale Boroughwide Housing and Merseyrail in the UK.