Enterprise security firm Barracuda shared details of a new attack campaign— by unknown attackers—that exploited a recently-patched zero-day flaw in its Email Security Gateway (ESG) appliances. The flaw tracked as CVE-2023-2868, has been exploited by threat actors since October 2022 to distribute different malware.
What has been disclosed?
While the investigation is ongoing, researchers disclosed that the flaw was exploited to obtain unauthorized access to a subset of ESG appliances and infect them with malware.
- Three different malware strains have been identified so far, which are tracked as SALTWATER, SEASPY, and SEASIDE.
- SALTWATER is a trojanized module of Barracuda SMTP daemon. It is capable of uploading or downloading arbitrary files, executing commands, and tunneling malware to stay under the radar.
- SEASPY is an x64 ELF backdoor that overlaps with cd00r, another publicly available backdoor.
- SEASIDE is a Lua-based module for the Barracuda SMTP daemon that monitors SMTP HELO/EHLO commands to establish communication via the malware’s C2 server.
About the vulnerability
- The flaw is a command injection vulnerability and impacts Barracuda ESG versions from 5.1.3.001 to 9.2.0.006.
- The vulnerability stems from incomplete input validation of user-supplied .tar files as it pertains to the names of files contained within the archive.
- Patches were released on May 20 and May 21.
- The CISA added the flaw to its KEV catalog last week, urging federal agencies to apply the patches by June 16.
Conclusion
While the number of organizations impacted by the attack is not known, Barracuda has shared a list of all endpoints and network indicators attributed to the malware strains. Additionally, it has been suggested to discontinue the compromised ESG appliance and obtain a new ESG virtual or hardware appliance.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/898e_shutterstock_2216147981.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3d55_shutterstock_1936535434.jpg)
