Tag: Barracuda | Page 2

Suspected PRC Cyber Actors Continue to Globally Exploit Barracuda ESG Zero-Day Vulnerability

August 30, 2023/in Internet Security

As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability. For more details regarding malware found to date related to this exploit and learn more about Barracuda backdoors, please visit CISA Releases Malware Analysis Reports on Barracuda Backdoors. The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately. https://go.fbinet.fbi/news/Pages/Bringing-Private-Sector-to-the-Fight-Against-CyberAdversaries.aspx

CVE-2023-2868 is a remote command injection vulnerability that allows for unauthorized execution of system commands with administrator privileges on the ESG product. This vulnerability is present in the Barracuda ESG (appliance form factor only) versions 5.1.3.001- 9.2.0.006, and relates to a process that occurs when the appliance screens email attachments. The vulnerability allows cyber actors to format TAR file attachments in a particular manner and send them to an email address affiliated with a domain that has an ESG appliance connected to it. The malicious file’s formatting, when scanned, results in a command injection into the ESG that leads to system commands being executed with the privileges of the ESG. As the vulnerability exists in the scanning process, emails only need to be received by the ESG to trigger the vulnerability.

The earliest evidence of exploitation of Barracuda ESG appliances was observed in October 2022. Initially, suspected PRC cyber actors sent emails to victims containing TAR file attachments designed to exploit the vulnerability. In the earliest emails,…

Source…

Whirlpool malware rips open old Barracuda wounds

August 11, 2023/in Computer Security

Advanced persistent threat (APT) attacks targeting a former zero-day remote command injection vulnerability in Barracuda email security gateway (ESG) appliances have been detected by the US cybersecurity and infrastructure security agency (CISA).

The vulnerability, according to a CISA alert, was used to plant malware payloads of Seapsy and Whirlpool backdoors on the compromised devices.

While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.

“CISA obtained four malware samples — including Seapsy and Whirlpool backdoors,” the CISA alert said. “The device was compromised by threat actors exploiting the Barracuda ESG vulnerability.”

Tracked as CVE-2023-2868, the vulnerability allows remote command execution on ESG appliances running versions 5.1.3.001 to 9.2.0.006.

A long list of Barracuda offenders

While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.

Whirlpool was identified as a 32-bit executable and linkable format (ELF) that takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell.

A TLC reverse shell is a method used in cyberattacks to establish a secure communication channel between a compromised system and an attacker-controlled server.

The module that passes the two arguments was not available for CISA analysis.

Apart from Seapsy and Whirlpool, a few other strains of backdooring in Barracuda ESG exploits include Saltwater, Submarine, and Seaside.

CVE-2023-2868 plaguing Barracuda for long

The ESG vulnerability has been a…

Source…

Barracuda Zero-Day Exploited by Chinese Actor

June 17, 2023/in Internet Security

A zero-day vulnerability in the Barracuda Email Security Gateway (ESG) discovered in late May was exploited in a Chinese espionage campaign from October 2022, according to Mandiant.

The Google-owned threat intelligence firm revealed in a new report yesterday that new threat actor UNC4841 began sending phishing emails as far back as October 10 last year.

These malicious emails contained file attachments designed to exploit the Barracuda bug CVE-2023-2868 to gain initial access to vulnerable appliances, it added.

Once a foothold has been established, the group used Saltwater, Seaside and Seaspray malware to maintain a presence on the devices by masquerading as legitimate Barracuda ESG modules or services.

“Post initial compromise, Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances,” it continued.

“Mandiant has also observed UNC4841 deploy additional tooling to maintain presence on ESG appliances.”

Barracuda discovered the campaign on May 19 and released patches to contain and remediate the threat two days later. However, the threat group switched malware and deployed new persistence mechanisms to maintain access, Mandiant explained.

Between May 22 and 24, UNC4841 targeted victims in 16 countries with “high frequency” operations, prompting Barracuda to take the unusual step of urging customers to isolate and replace their appliances, whatever their patch status.

The security vendor was praised for its rapid response and sharing of product-specific expertise that enabled a fully-fledged investigation.

However, the threat from UNC4841 persists.

“UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations. Mandiant strongly recommends impacted Barracuda customers continue to hunt for this actor and investigate affected networks,” Mandiant concluded.

“We expect UNC4841 will continue to alter their TTPs and modify…

Source…