Flash Notice: UPDATE - Barracuda Zero-Day Vulnerability Exploited in the Wild - Customers Urged to Patch ESG Appliances

May 30, 2023

update (6/16/2023):

In May 2023, Avertium reported on a critical zero-day vulnerability (CVE-2023-2868) found in physical Barracuda Email Security Gateway (ESG) devices. At the time, the vulnerability allowed for remote command injection on versions 5.1.3.001 - 9.2.0.006, and was being exploited by attackers.

Instead of providing a patch for the vulnerability, Barracuda advised that all users replace their ESG appliances – their only remediation and their only recommendation. The company also advised that users contact Barracuda’s customer support via email to replace their devices.

This week, users are discovering a new issue linked to CVE-2023-2868. CISA identified backdoors, named Whirlpool and SeaSpy, used in attacks on Barracuda ESG devices. According to CISA, CVE-2023-2868 was used to inject SeaSpy and Whirlpool backdoor malware payloads onto compromised devices.

While SeaSpy (a known and persistent Barracuda offender) masquerades as a legitimate Barracuda service called "BarracudaMailService," it enables threat actors to execute arbitrary commands on ESG appliances. In contrast, the Whirlpool backdoor is a new offensive tactic, with attackers establishing a TLS reverse shell to the Command-and-Control (C2) server. In June 2023, Mandiant published a report attributing Whirlpool to the Chinese threat actor UNC48

overview

A critical zero-day vulnerability tracked as CVE-2023-2868 was found in physical Barracuda Email Security Gateway appliances and is being exploited by attackers. The vulnerability allows for remote command injection and affects versions 5.1.3.001 - 9.2.0.006.

According to the official CVE listing, the vulnerability occurs due to a failure to completely sanitize the processing of .tar file or tape archives. CVE-2023-2868 stems from insufficient validation of user-supplied file names within the archive. The flaw allows remote attackers to execute system commands using Perl's qx operator with the privileges of the Email Security Gateway product.

Barracuda’s advisory stated that they discovered the vulnerability on May 19, 2023, and immediately applied a patch to all ESG appliances worldwide on May 20, 2023. It's important to note that this vulnerability only affects the module responsible for screening attachments in incoming emails.

Upon investigation, the company identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances, therefore, all ESG appliances received a second patch on May 21, 2023. Barracuda stated that users whose appliances were impacted have been notified via the ESG user interface and have received instructions on actions to take. Other Barracuda products, including SaaS email security services, were not impacted by this vulnerability.

avertium's recommendations

Avertium recommends that all users of Barracuda ESG appliances follow the company’s recommendation of immediately replacing the device(s).

Barracuda’s June 6th advisory states that only a subset of ESG appliances have shown any known indicators of compromise and are identified by a message in the appliance User Interface.
The advisory further states that if users have not replaced their appliance after receiving notice of compromise in your UI, contact Barracuda support (support@barracuda.com).

INDICATORS OF COMPROMISE (IoCs)

FileHash-MD5

177add288b289d43236d2dba33e65956
2d841cb153bebcfdee5c54472b017af2
45b79949276c9cb9cf5dc72597dc1006
4ca4f582418b2cc0626700511a6315c0
85c5b6c408e4bdb87da6764a75008adf

FileHash-SHA1

0ea36676bd7169bcbf432f721c4edb5fde0a46a9
191e16b564c66b3db67f837e1dc5eac98ff9b9ef
598b486976708dc59ecf3fdec8727b82df63b7de
5ce46efc6b28bd94955138833dc97916957dbde1
7a791d4d7e55d7a2fdc08ac0f22ab7ae068fdf26
c637a9ce65083b21c834e7a68bd1bc51b412fa11
c971d01d9faa9d7fd94aef13b24e0b5d3d149a7c
fb2cdec59a77c255bd422c92e5de2d0f3f19bd6c

FileHash-SHA256

10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81
29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b
3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5
69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192
83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c
8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347
9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf

IP Addresses

101[.]229[.]146[.]218
103[.]146[.]179[.]101
103[.]27[.]108[.]62
103[.]77[.]192[.]13
103[.]77[.]192[.]88
103[.]93[.]78[.]142
104[.]156[.]229[.]226
104[.]223[.]20[.]222
107[.]148[.]219[.]227
For a complete list of IP addresses, as well as domains, please see Barracuda’s June 15th advisory.

YARA

478b7f22b0faac82c10b733dbb71fa12c5e9fbad
6ec815d9acfee40f23b3f748b469754cd0669eee
9dc9b25a212a0178f6f3d7789f8be10f57bca164
For the full SeaSpy and Whirlpool YARA rules, please see CISA’s advisory.

Detection Rules

For detection rules, please see Barracuda’s June 15th advisory.

How Avertium is Protecting Our CUSTOMERS

Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
Avertium offers Vulnerability Management VM to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.