Barracuda Networks Warns Customers to Replace Hacked Email Security Gateways

In May 2023, the 0-day vulnerability CVE-2023-2868, which had been exploited by hackers for more than six months, was fixed in Barracuda Networks products. While patches were eventually released for the problem, the manufacturer has now unexpectedly stated that customers should stop using hacked Email Security Gateways (ESG) and replace them, even if they received patches.
Information about the critical RCE vulnerability CVE-2023-2868 (9.8 points on the CVSS scale) appeared in mid-May of this year. At the time, it was reported that the problem affects versions 5.1.3.001 through 9.2.0.006 and allows a remote attacker to execute arbitrary code.
“The vulnerability results from insufficiently comprehensive validation in the processing of .tar files (tape archives),” it was reported in May. – The vulnerability occurs due to insufficient validation of the user-provided .tar file, namely the names of the files contained in the archive. As a consequence, a remote attacker could format the names of these files in a certain way, which would cause a system command to be executed remotely via Perl qx with Email Security Gateway privileges.”
As a result, patches for this problem were released on May 20 and 21, 2023, however, Barracuda Networks, whose products are used by more than 200,000 customers worldwide, including Samsung, Delta Airlines, Mitsubishi and Kraft Heinz, warned that the vulnerability was used by attackers in attacks with October 2022.
“Malware was found on a number of devices that allows you to establish permanent access through a backdoor. Also, some devices showed signs of data leakage,” the manufacturer said.
Then the experts said that three malware samples were associated with the exploitation of the CVE-2023-2868 vulnerability:

SALTWATER

SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd), capable of uploading and downloading arbitrary files, executing commands, and proxying and tunneling malicious traffic for greater stealth.

SEASPY

SEASPY is a backdoor in ELF x64 format, capable of gaining a foothold in the system and activated with the help of a magic package.

SEASIDE

SEASIDE is a Lua-based module for bsmtpd that installs reverse shells via SMTP HELO/EHLO commands received via the malware’s C&C server.
The manufacturer released a new statement this week, surprisingly saying that all customers affected by the newly discovered vulnerability should immediately stop using compromised Email Security Gateways (ESGs) and replace them.
“All affected ESG devices should be replaced immediately, regardless of the version of the patch installed,” the company says, adding that the recommendation to fix the problem now is “completely replace the affected ESG.”
The company does not say what was the reason for this statement and such drastic measures. It can be assumed that the attackers behind the newly discovered attacks managed to infiltrate the ESG firmware at a deeper level, and the patches simply cannot completely eliminate the threat.
Barracuda Networks is a leading provider of cloud-enabled security and data protection solutions. The company’s products are used by more than 200,000 customers worldwide, including Samsung, Delta Airlines, Mitsubishi and Kraft Heinz.
In May 2023, the company released a patch for the 0-day vulnerability CVE-2023-2868, which had been exploited by hackers for more than six months. The vulnerability affects versions 5.1.3.001 through 9.2.0.006 and allows a remote attacker to execute arbitrary code.
However, the company has now unexpectedly stated that customers should stop using hacked Email Security Gateways (ESGs) and replace them, even if they received patches. The company does not say what was the reason for this statement and such drastic measures, but it can be assumed that the attackers behind the newly discovered attacks managed to infiltrate the ESG firmware at a deeper level, and the patches simply cannot completely eliminate the threat.
The manufacturer reported that three malware samples were associated with the exploitation of the CVE-2023-2868 vulnerability: SALTWATER, SEASPY and SEASIDE. SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd), capable of uploading and downloading arbitrary files, executing commands, and proxying and tunneling malicious traffic for greater stealth. SEASPY is a backdoor in ELF x64 format, capable of gaining a foothold in the system and activated with the help of a magic package. SEASIDE is a Lua-based module for bsmtpd that installs reverse shells via SMTP HELO/EHLO commands received via the malware’s C&C server.
The company recommends that all affected ESG devices should be replaced immediately, regardless of the version of the patch installed. Barracuda Networks is committed to providing customers with the best security solutions to protect their data and systems from malicious attacks.