Flash Notice: UPDATE - Barracuda Zero-Day Vulnerability Exploited in the Wild - Customers Urged to Patch ESG Appliances

update (6/16/2023):

In May 2023, Avertium reported on a critical zero-day vulnerability (CVE-2023-2868) found in physical Barracuda Email Security Gateway (ESG) devices. At the time, the vulnerability allowed for remote command injection on versions 5.1.3.001 - 9.2.0.006, and was being exploited by attackers.  

Instead of providing a patch for the vulnerability, Barracuda advised that all users replace their ESG appliances – their only remediation and their only recommendation. The company also advised that users contact Barracuda’s customer support via email to replace their devices.  

This week, users are discovering a new issue linked to CVE-2023-2868. CISA identified backdoors, named Whirlpool and SeaSpy, used in attacks on Barracuda ESG devices. According to CISA, CVE-2023-2868 was used to inject SeaSpy and Whirlpool backdoor malware payloads onto compromised devices.  

While SeaSpy (a known and persistent Barracuda offender) masquerades as a legitimate Barracuda service called "BarracudaMailService," it enables threat actors to execute arbitrary commands on ESG appliances. In contrast, the Whirlpool backdoor is a new offensive tactic, with attackers establishing a TLS reverse shell to the Command-and-Control (C2) server. In June 2023, Mandiant published a report attributing Whirlpool to the Chinese threat actor UNC48

overview

A critical zero-day vulnerability tracked as CVE-2023-2868 was found in physical Barracuda Email Security Gateway appliances and is being exploited by attackers. The vulnerability allows for remote command injection and affects versions 5.1.3.001 - 9.2.0.006.  

According to the official CVE listing, the vulnerability occurs due to a failure to completely sanitize the processing of .tar file or tape archives.  CVE-2023-2868 stems from insufficient validation of user-supplied file names within the archive. The flaw allows remote attackers to execute system commands using Perl's qx operator with the privileges of the Email Security Gateway product. 

Barracuda’s advisory stated that they discovered the vulnerability on May 19, 2023, and immediately applied a patch to all ESG appliances worldwide on May 20, 2023.  It's important to note that this vulnerability only affects the module responsible for screening attachments in incoming emails.  

Upon investigation, the company identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances, therefore, all ESG appliances received a second patch on May 21, 2023. Barracuda stated that users whose appliances were impacted have been notified via the ESG user interface and have received instructions on actions to take. Other Barracuda products, including SaaS email security services, were not impacted by this vulnerability. 

avertium's recommendations

• Barracuda’s June 6th advisory states that only a subset of ESG appliances have shown any known indicators of compromise and are identified by a message in the appliance User Interface. 
• The advisory further states that if users have not replaced their appliance after receiving notice of compromise in your UI, contact Barracuda support (support@barracuda.com). 

INDICATORS OF COMPROMISE (IoCs)

FileHash-MD5 

• 177add288b289d43236d2dba33e65956 
• 2d841cb153bebcfdee5c54472b017af2 
• 45b79949276c9cb9cf5dc72597dc1006 
• 4ca4f582418b2cc0626700511a6315c0 
• 85c5b6c408e4bdb87da6764a75008adf 

FileHash-SHA1 

• 0ea36676bd7169bcbf432f721c4edb5fde0a46a9 
• 191e16b564c66b3db67f837e1dc5eac98ff9b9ef 
• 598b486976708dc59ecf3fdec8727b82df63b7de 
• 5ce46efc6b28bd94955138833dc97916957dbde1 
• 7a791d4d7e55d7a2fdc08ac0f22ab7ae068fdf26 
• c637a9ce65083b21c834e7a68bd1bc51b412fa11 
• c971d01d9faa9d7fd94aef13b24e0b5d3d149a7c 
• fb2cdec59a77c255bd422c92e5de2d0f3f19bd6c 

FileHash-SHA256 

• 10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81 
• 29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b 
• 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 
• 5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5 
• 69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192 
• 83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c 
• 8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347 
• 9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf 

IP Addresses 

• 101[.]229[.]146[.]218 
• 103[.]146[.]179[.]101 
• 103[.]27[.]108[.]62 
• 103[.]77[.]192[.]13 
• 103[.]77[.]192[.]88 
• 103[.]93[.]78[.]142 
• 104[.]156[.]229[.]226 
• 104[.]223[.]20[.]222 
• 107[.]148[.]219[.]227 
• For a complete list of IP addresses, as well as domains, please see Barracuda’s June 15th advisory.

YARA 

• 478b7f22b0faac82c10b733dbb71fa12c5e9fbad 
• 6ec815d9acfee40f23b3f748b469754cd0669eee 
• 9dc9b25a212a0178f6f3d7789f8be10f57bca164 
• For the full SeaSpy and Whirlpool YARA rules, please see CISA’s advisory.  

Detection Rules 

• For detection rules, please see Barracuda’s June 15th advisory. 

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  
  
• Avertium offers Vulnerability Management VM to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 

SUPPORTING DOCUMENTATION