Barracuda Patches Zero-Day in Email Security Gateways (ESG)

Barracuda, a prominent enterprise security firm, recently shared details regarding a serious vulnerability that malicious actors had leveraged to compromise its Email Security Gateway (ESG) appliances since October 2022.  

What does Barracuda do?

Barracuda is a global company that provides security solutions for emails, applications, cloud, network and data. Services range from threat scanners and automated incident response to web application firewalls and data backup. 

Tell me more about the Barracuda zero-day

The Barracuda zero-day, recognized under the tracking code CVE-2023-2868, was exploited for about seven months before Barracuda identified the vulnerability on May 19, 2023. 

The security flaw affects certain versions of the ESG appliances and could potentially enable remote attackers to execute harmful code on susceptible installations.  

The company discovered that unauthorized access had been gained on a subset of its ESG appliances and found evidence of malware that created persistent backdoor access, as well as indications of data exfiltration. 

Barracuda, in collaboration with cybersecurity professionals, has identified three different malware strains used in these cyberattacks:

• SALTWATER: A modified module for Barracuda’s simple mail transfer protocol (SMTP) daemon (or background process), capable of uploading or downloading files, executing commands and discretely routing malicious traffic. 

• SEASPY: A backdoor module providing persistence capabilities, activated by a specific packet type. 

• SEASIDE: A Lua-based (Lua is a programming language) module to establish reverse shells via certain SMTP commands sent through the malware’s command-and-control server. 

The company quickly released patches to address the zero-day vulnerability. 

What is Nuspire doing?

Nuspire is not affected by this vulnerability; however, the company actively threat hunts within client environments for indications of compromise. 

What should I do?

Considering the severe implications of this vulnerability, organizations should review the following recommendations: 

1. Promptly apply the patches released by Barracuda on May 20 and May 21, 2023, for versions 5.1.3.001 through 9.2.0.006 of the ESG appliances. 
2. Heed the advice of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which included the Barracuda zero-day in its Known Exploited Vulnerabilities catalog. Federal agencies should ensure fixes are applied by June 16, 2023. 
3. Monitor communications from Barracuda closely. The firm is directly contacting organizations that have been breached to provide mitigation advice, and the ongoing investigation may reveal additional affected users. 
4. Follow Barracuda’s “Recommendations for Impacted Customers” in its advisory.