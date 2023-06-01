The corporate security firm known as barracudarevealed on Tuesday that a recently patched zero-day bug on its Email Security Gateway (ESG) devices has been exploited by unknown perpetrators since October 2022 to insert backdoors into devices.

The last discoveries show that the critical vulnerabilityidentified as CVE-2023-2868 (CVSS score: unclassifiable), has been actively exploited for at least seven months before its discovery.

The flaw, identified by Barracuda on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote hacker to execute code on vulnerable installations, Barracuda released patches on May 20 and 21.

How Barracuda expressed himself on this matter

“CVE-2023-2868 was used to gain unauthorized access to a subset of ESG devices“, has declared the network and email security firm in an updated briefing note, adding, “Malware has been identified on a subset of devices, enabling persistent backdoor access. There has been evidence of data exfiltration on a subset of affected devices“.

Three different strains of malware have been discovered so far:

SALTWATER extension – A trojanized module for Barracuda’s SMTP (bsmtpd) which is capable of uploading or downloading malicious files, executing unsavory commands and transferring malicious traffic through proxies and tunnels to go unnoticed; SEASPY – A backdoor ELF x64 which offers persistence capabilities and is enabled through a particular package; SEASIDE – A module based on Lua for bsmtpd which establishes reverse shell via HELO/EHLO SMTP commands sent via the malware’s command and control (C2) server.

Source code overlaps have been identified between SEASPY and an open source backdoor called cd00r, according to Google-owned Mandiant, which is investigating the incident. The attacks were not attributed to known actors (example: ATP group, for one).

Updates from US CISA

The US Cybersecurity and Infrastructure Security Agency (CISA), last week, has added the bug also to its catalog of Known Exploited Vulnerabilities (KEV), urging federal agencies to apply the fixes by June 16, 2023.

Barracuda did not disclose how many organizations were compromised, but said they have been contacted directly with guidance for mitigation. He also warned that the ongoing investigation could uncover additional users who may have been affected.