The purpose of this alert is to bring attention to a critical security issue identified in Barracuda Networks Email Security Gateway (ESG) physical appliances1. This vulnerability is being tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-28682.
This vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 9.8 by NIST3.
On 18 May 2023, Barracuda became aware of suspicious network traffic transiting their ESG devices. Upon further investigation and after engaging Google-owned security firm Mandiant, Barracuda concluded that a critical remote command injection vulnerability existed in their ESG product. On 20 May, a patch was deployed to remediate the vulnerability and on 21 May, a script was deployed to try and contain exploitation of the devices.
Importantly, on 6 June 2023, Barracuda sent a notification to all customers to immediately decommission and replace all devices regardless of patch level. Even if the recent patches have been deployed, customers should immediately disconnect the devices.
The updated information from Barracuda informing customers that devices need to be replaced demonstrates that Threat Actors exploiting this vulnerability have been able to obtain persistence at a deep enough level such that wiping the device does not resolve the problem.
The vulnerability has been observed by cyber security firms to have been exploited in the wild since at least October 20224. In several cases, exploitation of this vulnerability has led to data loss and exfiltration, as well as the deployment of ransomware.
From a technical standpoint, the vulnerability exists in a module within the ESG product which screens the attachments of incoming emails. Barracuda have stated “The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product5.”
This allows Threat Actors to achieve remote command injection and subsequently execute code on ESG devices for unauthorised access. Utilising the remote command injection, Threat Actors are then deploying malware and persistent backdoors.
The malware observed has been classified by Mandiant as three variants:
SALTWATER – A trojanized module of the Barracuda Simple Mail Transfer Protocol (SMTP) daemon. A backdoor has been added to the module, which allows Threat Actors to download or upload files, execute commands and execute proxy tunnelling capabilities for access further into a network.
SEASPY – Another persistent backdoor that masquerades as a legitimate Barracuda service. The malicious service sets up a Packet Capture (PCAP) filter which monitors for traffic on port 25 and port 587 – both ports are associated with different functionality of SMTP.
SEASIDE – Monitors for SMTP HELO/EHLO commands to receive a Command and Control (C2) IP address and port which are then used to establish a reverse shell, providing the Threat Actor with an interactive shell on the host.
A full listing of Indicators of Compromise are available in the Barracuda bulletin:
Unfortunately, this is the only course of action available to mitigate this vulnerability, as devices could already be compromised, even if they are no longer internet facing.
Barracuda have also recommended that users and clients rotate any credentials connected to the ESG appliance, including:
Any connected LDAP/AD.
Barracuda Cloud Control.
Any private TLS certificates.
ESG users are also urged to hunt for IOCs provided by Barracuda to check for evidence of compromise.
The Triskele Labs DefenceShield Security Operations Centre (SOC) is monitoring for suspicious activity, for Managed Detection and Response (MDR) clients. IOCs provided by Barracuda have been ingested into Triskele Labs CTI feeds for alerting in SIEM platforms.
Triskele Labs is performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices in client networks.
For any questions, please reach out to the DefenceShield Security Operations Centre or contact Triskele Labs support.