Barracuda says that the recently discovered compromise of some of it clients’ ESG appliances via a zero-day vulnerability resulted in the deployment of three types of malware and data exfiltration.
Zeor-day exploited, Barracuda ESG appliances backdoored.
On May 23, Barracuda Networks publicly acknowledged that attackers have been exploiting CVE-2023-2868 to breach Email Security Gateway on-prem physical appliances at various organizations.
Today, they confirmed that the first patch, which remediated the remote command injection vulnerability, was applied to all ESG appliances worldwide on May 20, and was followed by a script that was “Deployed to all impacted appliances to contain the incident and counter unauthorized access methods.”
SALTWATER, a trojanized module for the Barracuda SMTP daemon, which serves as a backdoor that has proxy and tunneling capabilities and allows attackers to upload or download arbitrary files and execute commands.
SEASPY, an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 SEASIDE, a Lua-based module for the Barracuda SMTP daemon that establishes a connection to the attackers’ C2 server and helps establish a reverse shell.