UPDATE - Barracuda is urging some customers to replace their Email Security Gateway (ESG) appliances shortly after disclosing that a remote code execution bug in the appliance has been exploited by attackers to enable “persistent backdoor access” for eight months.
Barracuda first discovered the bug (tracked as CVE-2023-2868) on May 19 after being tipped off that anomalous traffic was stemming from ESG appliances. A patch was deployed on May 20, and a second patch deployed on May 21. On June 1, the company warned that attackers had been exploiting the vulnerability since October 2022 in order to obtain unauthorized access to a “subset of ESG appliances,” set up persistent backdoor access and exfiltrate data.
Though Barracuda said that affected customers were notified and patches deployed, on June 6 the company said its remediation recommendation is now full replacement of the impacted ESG appliances. In an update, Barracuda said that as of June 8, approximately 5 percent of active ESG appliances globally showed evidence of known indicators of compromise due to the vulnerability.
"Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances," according to a Barracuda update on Friday. "Therefore, we would like customers to replace any compromised appliance with a new unaffected device."
The company said on Friday it has notified customers impacted by the incident, and if an ESG appliance displays a notification in the user interface, the ESG appliance has had indicators of compromise. If no notification is displayed, the appliance has not been compromised at this time, said Barracuda.
The remote code execution bug, which could allow attackers to gain unauthorized access to vulnerable appliances, affects versions 5.1.3.001-9.2.0.006 of the appliance, and does not affect other Barracuda products, including the SaaS version of the ESG product. It stems from a module that screens the attachments of incoming emails, which does not fully validate the input of user supplied .tar files (as it relates to the file names in the archive).
“Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product,” according to the advisory. “Barracuda's investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances.”
After Barracuda worked through incident response with Mandiant, three types of malware were identified as part of these attacks on ESG appliances.
A module for the Barracuda SMTP daemon called Saltwater was discovered. This trojanized module contains backdoor functionality and includes components that enable attackers to upload or download arbitrary files and execute commands. The backdoor also has proxying and tunneling capabilities. Another Barracuda SMTP daemon module called Seaside was found that monitors SMTP commands for a command-and-control (C2) IP address and port, which it then passes on to an external binary that creates a reverse shell. Finally, a backdoor called Seaspy was also discovered, which has code that overlaps with the known, publicly available backdoor cd00r.
“SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP),” according to the advisory. “SEASPY also contains backdoor functionality that is activated by a ‘magic packet.’”
Barracuda said that evidence of data exfiltration was also discovered on certain impacted appliances. ESG is particularly lucrative to attackers because it is deployed across many enterprise businesses, opening them up to attacks targeting sensitive data.
"The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access," said Caitlin Condon with Rapid7.
This article was updated on June 9 with new updates from Barracuda.