Patrick Domingues

In a recent development, enterprise security company Barracuda has issued a warning to its customers regarding the use of email security gateway (ESG) appliances affected by a newly disclosed zero-day exploit. The company strongly advises customers to replace these appliances immediately to mitigate potential security risks. This article explores the vulnerability, the recommended course of action, and the implications of the exploit.

Introduction

The security landscape is constantly evolving, with new threats emerging every day. In light of this, it is crucial for organizations to stay vigilant and take necessary measures to protect their systems and data. Barracuda, a leading enterprise security company, has identified a zero-day exploit affecting its email security gateway (ESG) appliances. This exploit has been actively exploited since October 2022, making it imperative for Barracuda customers to take immediate action. In this article, we will delve into the details of the vulnerability, the remediation measures recommended by Barracuda, and the potential consequences of not addressing the issue promptly.

Understanding the Vulnerability

The zero-day exploit, officially known as CVE-2023-2868, was discovered on May 19, 2023. It impacts ESG appliance versions 5.1.3.001 through 9.2.0.006, posing a significant risk to organizations utilizing these appliances. The exploit allows remote attackers to execute arbitrary code on vulnerable installations, potentially leading to unauthorized access, data breaches, and other malicious activities.

Barracuda, upon identifying the vulnerability, took immediate action to address the issue. The company released patches on May 20 and May 21 to mitigate the exploit. However, despite the availability of patches, Barracuda advises customers to replace the impacted ESG appliances entirely, regardless of the patch status. This precautionary measure ensures the complete elimination of any potential security risks associated with the vulnerability.

Notification and Reach-out to Impacted Customers

Barracuda has been proactive in notifying its customers about the vulnerability and the necessary actions to be taken. Users whose appliances are believed to be impacted have been notified through the ESG user interface, providing them with clear instructions on the steps to follow. Additionally, Barracuda has personally reached out to these specific customers to emphasize the importance of appliance replacement.

Multistrained Malware Uncovered

During the investigation of the vulnerability, Barracuda discovered the presence of three different malware strains on a subset of appliances. These strains, named Saltwater, Seaspy, and Seaside, function as backdoor modules, enabling persistent backdoor access and data exfiltration.

Saltwater and Seaside primarily target the Barracuda SMTP daemon (bsmtpd), enabling the upload and download of arbitrary files, execution of commands, and the tunneling of malicious traffic. On the other hand, Seasspy is an x64 executable and linkable format (ELF) backdoor that offers persistence capabilities, activated through a magic packet, such as a remote or wake-on-LAN packet.

Mandiant, a renowned cybersecurity intelligence firm owned by Google, is currently investigating the incident. During their analysis, they discovered code overlaps between SEASPY and an open-source backdoor known as cd00r. However, no specific threat actor or group has been attributed to the attacks at this point.

Frequently Asked Questions (FAQs)

1. Q: How long has the zero-day exploit been actively exploited?
   • A: The zero-day exploit has been actively exploited since October 2022.
2. Q: Which Barracuda products are affected by the vulnerability?
   • A: Only the email security gateway (ESG) appliances are affected. No other Barracuda products,.
3. Q: Which Barracuda products are affected by the vulnerability?
   • A: Only the email security gateway (ESG) appliances are affected. No other Barracuda products, such as the Barracuda Essentials or Barracuda Email Security Service, are impacted by this vulnerability.
4. Q: What versions of the ESG appliances are affected?
   • A: The vulnerability affects ESG appliance versions 5.1.3.001 through 9.2.0.006.
5. Q: What actions are recommended by Barracuda to mitigate the security risks?
   • A: Barracuda strongly advises customers to replace the impacted ESG appliances immediately, regardless of whether they have applied the available patches. Replacing the appliances is the most effective way to ensure complete elimination of any potential security risks associated with the vulnerability.
6. Q: How has Barracuda notified its customers about the vulnerability?
   • A: Barracuda has proactively notified its customers through the ESG user interface, providing clear instructions on the steps to be taken. Additionally, Barracuda has personally reached out to the specific customers believed to be impacted by the vulnerability.
7. Q: What were the malware strains discovered during the investigation?
   • A: Three malware strains named Saltwater, Seaspy, and Seaside were discovered on a subset of appliances. These strains function as backdoor modules, allowing persistent backdoor access and data exfiltration.
8. Q: Is there any attribution to specific threat actors or groups?
   • A: At this point, no specific threat actor or group has been attributed to the attacks. The incident is currently under investigation by Mandiant, a cybersecurity intelligence firm owned by Google.
9. Q: What should organizations do if they are using the impacted ESG appliances?
   • A: Organizations using the affected ESG appliances should follow Barracuda’s recommendation to replace the appliances immediately. They should also stay vigilant for any signs of unauthorized access or suspicious activities and report them to Barracuda’s support team.
10. Q: How can organizations protect themselves while waiting to replace the ESG appliances?
    • A: While waiting to replace the appliances, organizations can take additional security measures, such as enabling multi-factor authentication (MFA) for email accounts, implementing network segmentation, regularly updating antivirus software, and educating employees about phishing and social engineering attacks.

It is crucial for Barracuda customers to take the necessary steps to address this vulnerability promptly. By replacing the impacted ESG appliances, organizations can significantly reduce the risk of unauthorized access, data breaches, and other malicious activities. Barracuda continues to work diligently to ensure the security of its customers and provide support throughout the remediation process.