The otherwise secure Barracuda Email Security Gateway Appliances (ESG) have a problem: In mid-May 2023, Barracuda identified the vulnerability (CVE-2023-28681) on their appliances, which was actively attacked. However, the existing security update is not able to close backdoors created by malware. Barracuda therefore recommends immediate hardware replacement.
Initially, as with many vulnerabilities found, all started: On May 18, 2023, Barracuda was made aware of anomalous traffic originating from Barracuda Email Security Gateway (ESG) appliances. The very next day, Barracuda identified the vulnerability (CVE-2023-28681), which was already being actively exploited. Just 2 days later, Barracuda deployed a security patch to fix the vulnerability on all ESG appliances worldwide. Despite further defense scripts and analyses, many ESG appliances were identified by malware in the short period of time, which enables permanent backdoor access. In addition, indications of data exfiltration were also found in a subset of the affected devices.
ESG appliances need to be replaced
Users whose devices Barracuda believes were affected have been notified of the action to be taken via the ESG user interface. Barracuda reached out to these customers as well. In the course of the investigation, even more customers could be identified. Therefore, Barracuda is informing the customers of the affected ESG appliances that they must be replaced immediately, regardless of the patch version level. The support supports the customers.
Barracuda already describes the malware identified so far in detail. To facilitate tracking, the malware was assigned code names:
- SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality.
- SEASPY is an x64 ELF persistence backdoor that masquerades as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains a backdoor feature activated by a "magic package".
- SEASIDE is a Lua-based module for the Barracuda SMTP Daemon (bsmtpd) that listens for SMTP HELO/EHLO commands to receive a Command and Control (C2) IP address and port, which it passes as arguments to an external binary that sets up a reverse shell.
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.