Barracuda Networks, which is currently owned by KKR (Kohlberg Kravis Roberts & Co.,) announced that they had faced a cyber attack in which a Zero Day flaw was exploited, and threat actors extracted data.
The earliest identification of this attack dates back to October 2022.
The flaw existed on their Email Security Gateway (ESG) appliance. The company worked closely with Mandiant cyber security experts to investigate this issue.
The vulnerability was identified to be CVE-2023-2868, and a patch was applied to all ESG appliances worldwide.
This vulnerability exists due to improper processing, validation, and sanitization of the names of the files within the user-supplied .tar file.
An attacker could exploit this by sending a specially crafted file name in a specified manner, resulting in remote command execution on the system through Perl’s qx operator inside the Email Security Gateway (ESG) product.
| Products | Versions |
| Email Security Gateway Application | 5.1.3.001-9.2.0.006 |
There were three malware deployed by the threat actors using the Barracuda Email Security Gateway Appliance.
SALTWATER – Trojanised malware for uploading or downloading arbitrary files, command execution, proxy, and tunneling. It uses five channels for these functionalities: UploadChannel, DownloadChannel, ProxyChannel, TunnelArgs, and ShellChannel.
SEASPY – Persistent backdoor which looks like a legitimate Barracuda Networks Service by establishing itself as a PCAP filter. It monitors port 25 (SMTP) traffic and contains the backdoor functionality.
Mandiant analysis stated that the code could overlap between SEASPY and cd00r, a publicly available backdoor.
SEASIDE – Lua-based module which monitors SMTP HELO/EHLO commands that are used for receiving command and control (C2) IP address and port. It creates a reverse shell by sending the information as arguments to an external library.
| Module | Name | SHA256 |
| SALTWATER | mod_up.so | 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4 |
| SEASPY | BarracudaMailService | 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 |
| SEASIDE | mod_require_helo.lua | fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8 |
| Module | MD5 | File Type | Size (Bytes) |
| SALTWATER | 827d507aa3bde0ef903ca5dec60cdec8 | ELF x86 | 1,879,643 |
| SEASPY | 4ca4f582418b2cc0626700511a6315c0 | ELF x64 | 2,924,217 |
| SEASIDE | cd2813f0260d63ad5adf0446253c2172 | Lua module | 2,724 |
Barracuda has also provided Indicators of Compromise, Network IOCs and YARA rules for detecting this malware.
Barracuda Networks said, “We took immediate steps to investigate this vulnerability.
Our investigation revealed that the vulnerability resulted in unauthorized access to several email gateway appliances. As part of our containment strategy, all ESG appliances received a second patch on May 21, 2023.”
The company also confirmed that no other Barracuda products were affected due to this vulnerability, including the SaaS email security services.
They released patches for fixing this vulnerability as part of their BNSF-36456 on May 20, 2023.
Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book
The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…
Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…
The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…
Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…
A security researcher discovered a vulnerability in Windows theme files in the previous year, which…
The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…