Security News > 2023 > May > Attackers hacked Barracuda ESG appliances via zero-day since October 2022

Attackers hacked Barracuda ESG appliances via zero-day since October 2022
2023-05-30 17:00

Barracuda says that the recently discovered compromise of some of it clients' ESG appliances via a zero-day vulnerability resulted in the deployment of three types of malware and data exfiltration.

Zeor-day exploited, Barracuda ESG appliances backdoored.

On May 23, Barracuda Networks publicly acknowledged that attackers have been exploiting CVE-2023-2868 to breach Email Security Gateway on-prem physical appliances at various organizations.

Today, they confirmed that the first patch, which remediated the remote command injection vulnerability, was applied to all ESG appliances worldwide on May 20, and was followed by a script that was "Deployed to all impacted appliances to contain the incident and counter unauthorized access methods."

SALTWATER, a trojanized module for the Barracuda SMTP daemon, which serves as a backdoor that has proxy and tunneling capabilities and allows attackers to upload or download arbitrary files and execute commands.

SEASPY, an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 SEASIDE, a Lua-based module for the Barracuda SMTP daemon that establishes a connection to the attackers' C2 server and helps establish a reverse shell.


News URL

https://www.helpnetsecurity.com/2023/05/30/barracuda-esg-zero-day/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-05-24 CVE-2023-2868 Command Injection vulnerability in Barracuda products
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006.
network
low complexity
barracuda CWE-77
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Barracuda 19 0 2 4 5 11