Tuesday, November 5, 2024
HomeCyber Security NewsHackers Exploit Barracuda Zero-Day Flaw Since 2022 to Install Malware

Hackers Exploit Barracuda Zero-Day Flaw Since 2022 to Install Malware

Published on

Malware protection

Barracuda Networks, which is currently owned by KKR (Kohlberg Kravis Roberts & Co.,) announced that they had faced a cyber attack in which a Zero Day flaw was exploited, and threat actors extracted data.

The earliest identification of this attack dates back to October 2022.

The flaw existed on their Email Security Gateway (ESG) appliance. The company worked closely with Mandiant cyber security experts to investigate this issue.

- Advertisement - SIEM as a Service

The vulnerability was identified to be CVE-2023-2868, and a patch was applied to all ESG appliances worldwide.

CVE-2023-2868: Remote Command Injection Vulnerability

This vulnerability exists due to improper processing, validation, and sanitization of the names of the files within the user-supplied .tar file.

An attacker could exploit this by sending a specially crafted file name in a specified manner, resulting in remote command execution on the system through Perl’s qx operator inside the Email Security Gateway (ESG) product.

Affected Products

ProductsVersions
Email Security Gateway Application5.1.3.001-9.2.0.006

Malware Deployment Using Zero-Day

There were three malware deployed by the threat actors using the Barracuda Email Security Gateway Appliance.

SALTWATER – Trojanised malware for uploading or downloading arbitrary files, command execution, proxy, and tunneling.  It uses five channels for these functionalities: UploadChannel, DownloadChannel, ProxyChannel, TunnelArgs, and ShellChannel.

SEASPY Persistent backdoor which looks like a legitimate Barracuda Networks Service by establishing itself as a PCAP filter. It monitors port 25 (SMTP) traffic and contains the backdoor functionality.

Mandiant analysis stated that the code could overlap between SEASPY and cd00r, a publicly available backdoor.

SEASIDE – Lua-based module which monitors SMTP HELO/EHLO commands that are used for receiving command and control (C2) IP address and port. It creates a reverse shell by sending the information as arguments to an external library.

File Metadata of the Malware

ModuleNameSHA256
SALTWATERmod_up.so1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4
SEASPYBarracudaMailService3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
SEASIDEmod_require_helo.luafa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8
ModuleMD5File TypeSize (Bytes)
SALTWATER827d507aa3bde0ef903ca5dec60cdec8ELF x861,879,643
SEASPY4ca4f582418b2cc0626700511a6315c0ELF x642,924,217
SEASIDEcd2813f0260d63ad5adf0446253c2172Lua module2,724

Barracuda has also provided Indicators of Compromise, Network IOCs and YARA rules for detecting this malware.

Barracuda Networks said, “We took immediate steps to investigate this vulnerability.

Our investigation revealed that the vulnerability resulted in unauthorized access to several email gateway appliances. As part of our containment strategy, all ESG appliances received a second patch on May 21, 2023.

The company also confirmed that no other Barracuda products were affected due to this vulnerability, including the SaaS email security services.

They released patches for fixing this vulnerability as part of their BNSF-36456 on May 20, 2023.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...