Barracuda Email Security Gateways bitten by data thieves

A captious distant bid injection vulnerability successful immoderate Barracuda Network devices that nan vendor patched 11 days agone has been exploited by miscreants – for astatine slightest nan past 7 months.

Barracuda said it discovered nan bug, tracked arsenic CVE-2023-2868, successful its Email Security Gateway (ESG) appliance connected May 19 and pushed a patch to each of these products globally nan pursuing day.

In a security alert posted connected Tuesday, however, nan vendor disclosed that nan vulnerability was nether progressive utilization agelong earlier nan spot arrived. The flaw, which affects versions 5.1.3.001 to 9.2.0.006 of nan ESG appliance, tin and has been abused to tally distant commands connected targeted equipment, hijack them, and deploy data-stealing spyware connected nan boxes.

"Earliest identified grounds of exploitation of CVE-2023-2868 is presently October 2022," it said, adding its probe into nan matter is still ongoing.

The attackers exploited nan spread to break into "a subset" of Barracuda ESG appliances, and past dropped successful immoderate malware to let for persistent backdoor entree and information theft, we're told. 

"Evidence of information exfiltration was identified connected a subset of impacted appliances," Barracuda added.

No different Barracuda products are affected, according to nan information vendor.

Soon aft spotting abnormal postulation originating from its email information products, Barracuda called successful Mandiant to thief pinch an investigation. 

The time aft it issued a patch, connected May 21, Barracuda deployed a book to nan compromised ESG appliances "to incorporate nan incident and antagonistic unauthorized entree methods," it said. 

Plus nan vendor is sending a bid of further patches "in furtherance of our containment strategy," according to Barracuda.

The biz declined to opportunity really galore customers were compromised, and who has been exploiting nan vulnerability. It claims more than 200,000 customers astir nan world usage its information products. 

Last Friday, nan US government's Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-2868 to its Known Exploited Vulnerabilities Catalog.

Saltwater, Seaspy and Seaside, ohio my

The flaw, a distant bid injection vulnerability, is owed to incomplete input validation of a user-supplied .tar archive. Remote attackers tin format nan filenames successful that archive successful a measurement that allows them to execute a strategy bid done Perl's qx usability erstwhile nan record is processed.

After exploiting CVE-2023-2868 successful nan wild, nan unnamed attacker deployed 3 types of malware connected nan compromised email information devices.

First, a backdoor dubbed Saltwater for uploading and downloading files, and executing commands. It besides included proxy and tunneling capabilities.

"Mandiant is still analyzing SALTWATER to find if it overlaps pinch immoderate different known malware families," nan alert says.

Next, nan crooks deployed Seaspy, an x64 persistence backdoor disguised arsenic a morganatic Barracuda service. Seaspy establishes itself arsenic a PCAP packet select to show web postulation connected larboard 25.

This portion of malware shares immoderate codification pinch cd00r, a publically disposable backdoor, according to Mandiant and Barracuda.

• Cisco squashes captious bugs successful mini biz switches
• Intel says Friday's enigma 'security update' microcode isn't really a information update
• Alien versus Predator? No, this Android spyware useful together
• Spotted: Suspected Russian malware designed to disrupt Euro, Asia power grids

And finally, Seaside is simply a Lua-based module that monitors incoming SMTP HELO/EHLO commands that, interestingly enough, show it which command-and-control IP addresses and ports to use, and establishes a reverse ammunition for nan attackers to rumor commands.

Barracuda says it has notified customers whose products whitethorn person been compromised. As nan investigation continues, that database of affected users whitethorn grow. 

Customers should guarantee that their ESG appliances are receiving and installing updates and patches, and if your merchandise has been compromised: extremity utilizing it and interaction Barracua, support[at]barracuda[dot]com. See nan advisory for indicators of compromise.

Additionally, rotate immoderate applicable credentials connected to nan ESG appliance – though carnivore successful mind, if someone's wrong your equipment, they whitethorn good prime up nan changes. And reappraisal web logs for immoderate of nan indicators of discuss listed successful Barracuda's information alert. ®