Overview – Custom Malware Infects Barracuda ESG

Using a zero-day vulnerability from 2022, threat actors have been infecting Barracuda’s Email Security Gateway (ESG) with custom malware. Barracuda Networks, a popular email security appliance installed in over 200,000 organizations around the world, released an update to patch the zero-day. However, the fix comes after at least seven months after threat actors began exploiting the vulnerability. During this time, cybercriminals were able to backdoor customers through the ESG.

History of the Barracuda ESG Zero-Day

The bug, tracked as CVE-2023-2868, was part of an ongoing investigation initiated by Barracuda back in October 2022. The investigation shows that threat actors were able to gain access to a “subset of ESG appliances.” Then, deploy backdoors to provide attackers with persistent access to the compromised systems, as well as stolen information from the ESG appliances.

Initially, the security flaw was discovered on May 19th, the day after Mandiant, a cybersecurity firm, began digging into the suspicious activity. Then on May 20th, Barracuda released and applied a patch to all ESG appliances. The patch blocks the attackers’ access to the compromised devices using a dedicated script. On May 24th, Barracuda warned customers that their ESG appliances might have been breached using the now-patched zero-day bug. The warning advised customers to investigate their environment to ensure that no threat actors were moving laterally throughout the network.

Custom Malware Used in ESG Zero-Day Attacks

As mentioned, these attacks involve the use of custom malware. The first custom malware, named Saltwater, is a trojanized Barracuda SMTP daemon (bsmtpd) module that enables attackers to backdoor through infected appliances. Additionally, Saltwater can execute commands on compromised devices, transfer files, and proxy/tunnel the attacker’s malicious traffic to avoid detection.

The second malware strain found during the investigation of this attack is called SeaSpy, which activates using “magic packets”. This malware helps monitor port 25 (SMTP) traffic, and some of its code overlaps with the publicly available cdoor passive backdoor features. SeaSpy also establishes reverse shells via SMTP HELO/EHLO commands sent via the malware’s command-and-control C2 server. Any indicators of compromise (IOCs) can be found on Barracuda’s website.

What Should Barracuda ESG Users Do to Stay Secure?

In summary, we advise users of Barracuda Email Security Gateway appliances to check if their ESG appliances are up-to-date. And, of equal importance, stop using the breached appliances. And users with affected devices should request a new virtual or hardware appliance, rotate credentials linked to hacked appliances, and check network logs for IOCs and connections from unknown IP addresses. Barracuda notes that impacted users have been notified of actions to take via the ESG. As for maintaining patches in the future, we recommend staying current on vendor communications as they relate to applications within your environment.

A Solution to Managing Your Organization’s Security

As cyber threats become more complex and frequent, it’s crucial for organizations to prioritize cybersecurity. However, limited resources often make it difficult for small and medium-sized organizations (SMBs) to effectively manage their security. That’s why partnering with a Managed Security Service Provider (MSSP) like M.A. Polce can be a strategic business initiative for SMBs. MSSPs have the expertise and resources to handle critical security practices, such as patch management and network monitoring. By outsourcing these tasks, organizations can focus on their core business objectives while ensuring their security posture is strong and up-to-date. If your organization could use assistance managing its cybersecurity, contact us today. We’ll evaluate your needs and customize a solution that fulfills them.

Sources

https://www.barracuda.com/company/legal/esg-vulnerability#:~:text=the%20section%20below.-,Endpoint%20IOCs,-Table%204%20lists – Barracuda’s IOC’s released
https://www.securityweek.com/barracuda-zero-day-exploited-to-deliver-malware-for-months-before-discovery/
https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gateways-breached-via-zero-day-flaw/
https://www.bleepingcomputer.com/news/security/barracuda-zero-day-abused-since-2022-to-drop-new-malware-steal-data/