Barracuda E mail Safety Gateways bitten by knowledge thieves

A crucial distant command injection vulnerability in some Barracuda Community gadgets that the seller patched 11 days in the past has been exploited by miscreants – for at the least the previous seven months.

Barracuda stated it found the bug, tracked as CVE-2023-2868, in its E mail Safety Gateway (ESG) equipment on Could 19 and pushed a patch to all of those merchandise globally the next day.

In a safety alert posted on Tuesday, nevertheless, the seller disclosed that the vulnerability was underneath lively exploit lengthy earlier than the patch arrived. The flaw, which impacts variations to of the ESG equipment, can and has been abused to run distant instructions on focused tools, hijack them, and deploy data-stealing spy ware on the packing containers.

“Earliest recognized proof of exploitation of CVE-2023-2868 is at present October 2022,” it stated, including its probe into the matter continues to be ongoing.

The attackers exploited the opening to interrupt into “a subset” of Barracuda ESG home equipment, after which dropped in some malware to permit for persistent backdoor entry and knowledge theft, we’re advised. 

“Proof of knowledge exfiltration was recognized on a subset of impacted home equipment,” Barracuda added.

No different Barracuda merchandise are affected, in line with the safety vendor.

Quickly after recognizing irregular site visitors originating from its e mail safety merchandise, Barracuda known as in Mandiant to assist with an investigation. 

The day after it issued a patch, on Could 21, Barracuda deployed a script to the compromised ESG home equipment “to include the incident and counter unauthorized entry strategies,” it stated. 

Plus the seller is sending a sequence of further patches “in furtherance of our containment technique,” in line with Barracuda.

The biz declined to say what number of clients had been compromised, and who has been exploiting the vulnerability. It claims greater than 200,000 clients world wide use its safety merchandise. 

Final Friday, the US authorities’s Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2023-2868 to its Recognized Exploited Vulnerabilities Catalog.

Saltwater, Seaspy and Seaside, oh my

The flaw, a distant command injection vulnerability, is because of incomplete enter validation of a user-supplied .tar archive. Distant attackers can format the filenames in that archive in a method that enables them to execute a system command by Perl’s qx operator when the file is processed.

After exploiting CVE-2023-2868 inn the wild, the unnamed attacker deployed three sorts of malware on the compromised e mail safety gadgets.

First, a backdoor dubbed Saltwater for importing and downloading information, and executing instructions. It additionally included proxy and tunneling capabilities.

“Mandiant continues to be analyzing SALTWATER to find out if it overlaps with another identified malware households,” the alert says.

Subsequent, the crooks deployed Seaspy, an x64 persistence backdoor disguised as a professional Barracuda service. Seaspy establishes itself as a PCAP packet filter to observe community site visitors on port 25.

This piece of malware shares some code with cd00r, a publicly out there backdoor, in line with Mandiant and Barracuda.

And at last, Seaside is a Lua-based module that displays incoming SMTP HELO/EHLO instructions that, apparently sufficient, inform it which command-and-control IP addresses and ports to make use of, and establishes a reverse shell for the attackers to concern instructions.

Barracuda says it has notified clients whose merchandise could have been compromised. Because the investigation continues, that listing of affected customers could develop. 

Clients ought to make sure that their ESG home equipment are receiving and putting in updates and patches, and in case your product has been compromised: cease utilizing it and call Barracua, help[at]barracuda[dot]com. See the advisory for indicators of compromise.

Moreover, rotate any relevant credentials linked to the ESG equipment – although keep in mind, if somebody’s inside your tools, they could effectively choose up the modifications. And evaluate community logs for any of the symptoms of compromise listed in Barracuda’s safety alert. ®