Barracuda Networks Recommends Customers to Replace Hacked ESGs despite Patches
In May 2023, the 0-day vulnerability CVE-2023-2868 was fixed in Barracuda Networks products, which hackers used for more than six months and broke ESG, but the problems did not end there.
While patches were eventually released for the problem, the manufacturer has now unexpectedly stated that customers should stop using hacked Email Security Gateways (ESG) and replace them, even if they received patches.
Let me remind you that we also wrote that Over 4,000 Servers Are Still Vulnerable to Critical Bug in Sophos Firewall, and also that Emsisoft Says Hackers Are Spoofing Its Certificates.
Also, you might be interested in the article: Email Security Tactics – How to Stay Safe from Online Threats.
Information about the critical RCE vulnerability CVE-2023-2868 (9.8 points on the CVSS scale) appeared in mid-May of this year. At the time, it was reported that the problem affects versions 5.1.3.001 through 9.2.0.006 and allows a remote attacker to execute arbitrary code.
As a result, patches for this problem were released on May 20 and 21, 2023, however, Barracuda Networks, whose products are used by more than 200,000 customers worldwide, including Samsung, Delta Airlines, Mitsubishi and Kraft Heinz, warned that the vulnerability was used by attackers in attacks with October 2022.
Then the experts said that three malware samples were associated with the exploitation of the CVE-2023-2868 vulnerability:
- SALTWATER, a trojanized module for the Barracuda SMTP daemon (bsmtpd), capable of uploading and downloading arbitrary files, executing commands, and proxying and tunneling malicious traffic for greater stealth;
- SEASPY is a backdoor in ELF x64 format that can gain a foothold in the system and is activated using a magic package;
- SEASIDE is a Lua-based module for bsmtpd that installs reverse shells via SMTP HELO/EHLO commands received via the malware’s C&C server.
The manufacturer released a new statement this week, surprisingly saying that all customers affected by the newly discovered vulnerability should immediately stop using compromised Email Security Gateways (ESGs) and replace them.
They also add that now the recommendation to fix the problem is “total replacement of the affected ESG.”
The company does not say what was the reason for this statement and such drastic measures. It can be assumed that the attackers behind the newly discovered attacks managed to infiltrate the ESG firmware at a deeper level, and the patches simply cannot completely eliminate the threat.
According to Barracuda, affected customers have already been notified through the ESG user interface. Customers who have not yet had time to replace their devices are strongly advised to urgently contact support via email.