Enterprise security firm Barracuda revealed Tuesday that a recently patched zero-day vulnerability in its email security gateway (ESG) appliances has been exploited by threat actors to backdoor devices since October 2022. made it
The latest findings indicate that this critical vulnerability is tracked as CVE-2023-2868 (CVSS score: N/A) and was actively exploited for at least seven months prior to its discovery. I’m here.
Identified by Barracuda on May 19, 2023, this flaw affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to execute code on a vulnerable installation. Patches were released by Barracuda on May 20th and May 21st.
“CVE-2023-2868 was utilized to gain unauthorized access to a subset of ESG appliances,” the network and email security firm said in its latest advisory.
“Malware that enables persistent backdoor access has been identified on a subset of appliances. Evidence of data exfiltration has been identified on a subset of affected appliances.”
Three different malware strains have been discovered to date.
- brine – Trojanized module for the Barracuda SMTP daemon (bsmtpd). Upload or download arbitrary files, execute commands, even proxy or tunnel malicious traffic, and fly past the radar.
- Sheepy – x64 ELF backdoor that provides persistence functionality and is activated by a magic packet.
- seaside – A Lua-based module for bsmtpd establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s command and control (C2) server.
According to Google-owned Mandiant, which is investigating the incident, source code duplication has been confirmed between SEASPY and cd00r. This attack is not by any known attacker or group.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also last week added the bug to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply a fix by June 16, 2023. rice field.
Barracuda did not disclose how many organizations were compromised, but said it had contacted them directly for mitigation guidance. It also warned that ongoing research could unearth more users.
