ANNOUNCEMENT

Barracuda Email Security Gateway (ESG) Zero Day Vulnerability

Introduction

National Cyber Coordination and Command Centre (NC4) is aware of active exploitation on Barracuda Email Security Gateway (ESG) vulnerabilities that could allow an attacker to gain control of an affected system, install backdoors and exfiltrate data. The impact of these vulnerabilities is critical as it was observed can be utilised as vector for espionage activities.

Impact

Information leakage, malware infection.

Impacted Platforms

Barracuda Email Security Gateway (appliance form factor only) Ver. 5.1.3.001 – 9.2.0.006

Brief Description

Barracuda disclosed that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in the wild as early as October 2022 and remained undiscovered until May 2023. The vulnerability results from the processing of .tar files (tape archives) not being thoroughly sanitised. Vulnerability exists in the antivirus scanning module (Amavis) when screening email attachments due to insufficient input validation of a user-supplied .tar file, specifically with regard to the names of the files contained within the archive. As a result, a remote attacker can construct these file names specially in a way that will enable remote system command execution using Perl's qx operator with the privileges of the Email Security Gateway product. This can be exploited by an email attachment that results in execution of a reverse shell payload into the affected product.

From the observation, three principle backdoors has been used to be deployed using this vulnerability namely SALTWATER, SEASIDE and SEASPY. These backdoors functioned by capturing the SMTP traffic, proxying into victim environments and maintaining persistence. The exfiltration of the email data happen from the Barracuda ESG mstore. The mstore is a legitimate Barracuda service used to store mail for a period on ESG appliances for processing. It is noticeable that victim SSL certificates also been exfiltrated then were used on malware command and control (C2) servers. Additional post exploitation malware has been deployed to maintain persistence in the victim environment namely SEASPY v2, WHIRPOOL, SEASPRAY. Several post exploitation techniques also has been observed to hinder incident response efforts and evading detection namely SANDBAR, Timestomping and File deletion.

Barracuda have released patches for the Barracuda Email Security Gateway (appliance form factor only) Ver. 5.1.3.001 – 9.2.0.006 as a part of the BNSF-36456 patch. However, ESG’s appliance that has been compromised posed a serious threat and must be replaced immediately.

Therefore, all organisations are urged to review Barracuda advisory[1] and for all impacted customers to follow the mitigation steps as well as performing threat hunting activities based on the listed indicators of compromise (IOCs) to uncover any malicious activity.

Recommendation

According to Barracuda[1], organisations should discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to replace it with a new ESG virtual or hardware appliance. Impacted organisations should also review their environments and determine any additional actions they need to take including review their enterprise privileged credentials like Active Directory that were used to manage the affected Barracuda appliance. NC4 also advise organisations to validate the use and behaviour of all credentials used on the appliance.

Organisations are also advised to be vigilant and to take the following actions:

  • Sweep impacted environment for IOCs
  • Review email logs to identify the initial point of exposure
  • Revoke and rotate all local and domain-based credentials that were on the ESG
  • Revoke and reissue all certificates on the ESG
  • Monitor the environment for the use of credentials
  • Monitor the environment for use of certificates
  • Review network logs for signs of data exfiltration and lateral movement
  • Image the ESG appliance and conduct a forensic analysis
  • Report any anomalies happening within your network and enterprise environment to NC4

References

  1. https://www.barracuda.com/company/legal/esg-vulnerability
  2. https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening
  3. https://www.cisa.gov/news-events/alerts/2023/06/15/barracuda-networks-releases-update-address-esg-vulnerability

14-07-2023

CONTACT US

NATIONAL CYBER SECURITY AGENCY (NACSA)

National Security Council
Prime Minister's Department
Level LG & G, West Wing,
Perdana Putra Building,
Federal Government Administrative Center,
62502 Putrajaya, Malaysia.

FOLLOW US

Number of Visitors Last Updated
716,015 15 April 2024