A critical remote command injection vulnerability in some Barracuda Network devices that the vendor patched 11 days ago has been exploited by miscreants – for at least the past seven months.
Barracuda said it discovered the bug, tracked as CVE-2023-2868, in its Email Security Gateway (ESG) appliance on May 19 and pushed a patch to all of these products globally the following day.
In a security alert posted on Tuesday, however, the vendor disclosed that the vulnerability was under active exploit long before the patch arrived. The flaw, which affects versions 5.1.3.001 to 9.2.0.006 of the ESG appliance, can and has been abused to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes.
“Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022,” it said, adding its probe into the matter is still ongoing.
The attackers exploited the hole to break into “a subset” of Barracuda ESG appliances, and then dropped in some malware to allow for persistent backdoor access and data theft, we’re told.
“Evidence of data exfiltration was identified on a subset of impacted appliances,” Barracuda added.
No other Barracuda products are affected, according to the security vendor.
Soon after spotting abnormal traffic originating from its email security products, Barracuda called in Mandiant to help with an investigation.
The day after it issued a patch, on May 21, Barracuda deployed a script to the compromised ESG appliances “to contain the incident and counter unauthorized access methods,” it said.
Plus the vendor is sending a series of additional patches “in furtherance of our containment strategy,” according to Barracuda.
The biz declined to say how many customers were compromised, and who has been exploiting the vulnerability. It claims more than 200,000 customers around the world use its security products.
Last Friday, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-2868 to its Known Exploited Vulnerabilities Catalog.
Saltwater, Seaspy and Seaside, oh my
The flaw, a remote command injection vulnerability, is due to incomplete input validation of a user-supplied .tar archive. Remote attackers can format the filenames in that archive in a way that allows them to execute a system command through Perl’s qx operator when the file is processed.
After exploiting CVE-2023-2868 in the wild, the unnamed attacker deployed three types of malware on the compromised email security devices.
First, a backdoor dubbed Saltwater for uploading and downloading files, and executing commands. It also included proxy and tunneling capabilities.
“Mandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families,” the alert says.
Next, the crooks deployed Seaspy, an x64 persistence backdoor disguised as a legitimate Barracuda service. Seaspy establishes itself as a PCAP packet filter to monitor network traffic on port 25.
This piece of malware shares some code with cd00r, a publicly available backdoor, according to Mandiant and Barracuda.
And finally, Seaside is a Lua-based module that monitors incoming SMTP HELO/EHLO commands that, interestingly enough, tell it which command-and-control IP addresses and ports to use, and establishes a reverse shell for the attackers to issue commands.
Barracuda says it has notified customers whose products may have been compromised. As the investigation continues, that list of affected users may grow.
Customers should ensure that their ESG appliances are receiving and installing updates and patches, and if your product has been compromised: stop using it and contact Barracua, support[at]barracuda[dot]com. See the advisory for indicators of compromise.
Additionally, rotate any applicable credentials connected to the ESG appliance – though bear in mind, if someone’s inside your equipment, they may well pick up the changes. And review network logs for any of the indicators of compromise listed in Barracuda’s security alert. ®