The recent discovery of a zero-day vulnerability (CVE-2023-2868) in Barracuda Networks Email Security Gateway (ESG) appliances has brought significant concern.
CVE-2023-2868 is a remote command injection vulnerability that grants unauthorized execution of system commands with administrator privileges on Barracuda ESG appliances.
Notably, this vulnerability affects ESG versions 5.1.3.001-9.2.0.006 in the appliance form factor. The vulnerability is exploited during the email attachment screening process.
Cyber actors can format TAR file attachments in a specific manner and send them to an email address linked to a domain with an ESG appliance.
This malicious attachment triggers a command injection, allowing the execution of commands within the ESG with its privileges. More details about Barracuda’s zero-day vulnerability can be found here.
Evidence of the exploitation of Barracuda ESG appliances emerged in October 2022.
Suspected PRC cyber actors utilized emails with malicious attachments to target victims.
Initially, attachments had “.tar” extensions, later evolving to different formats like “.jpg” or “.dat.”
Upon scanning, these files initiated a connection to a domain/IP controlled by the actors, establishing a reverse shell and enabling further commands on the ESG device.
Following the compromise, actors injected various malicious payloads to gain persistent access, scan emails, harvest credentials, and exfiltrate data.
The vulnerability’s exploitation involves formatting malicious attachments to trigger command injection.
Exploited ESG appliances remain at risk even after patches have been applied. The FBI urges immediate isolation and replacement of affected ESG appliances.
The attackers’ advanced techniques include counter-forensics, making detection challenging.
Networks must be scanned for connections to provide indicators of compromise.
The FBI released a list that includes domains and IP addresses utilized by the attackers for malicious activities through an investigation.
The cyber division of the FBI also published recommended Barracuda mitigations for this exploitation.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…