Barracuda network appliance vulnerability “actively exploited” for seven months

A critical vulnerability discovered in Barracuda Networks devices may have been actively exploited for seven months, the company has revealed. 

The security firm said the flaw, which was first discovered in May, affected its Email Security Gateway (ESG) appliance and was patched after an initial investigation. 

This week, however,  analysis of the vulnerability revealed it had been actively exploited for several months before the patch was issued. 

Barracuda Networks said the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022”.

In its advisory, the firm said the vulnerability stemmed from “incomplete input validation” of user-supplied .tar files. 

The flaw meant that a remote attacker could format file names in a deliberate manner to remotely execute a system command through Perl’s gx operator. 

The investigation also revealed that a third party exploited this to gain unauthorized access to a subset of ESG appliances. 

“Barracuda's investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances,” the firm said in its advisory. 

Malware was identified on this subset of appliances, Barracuda revealed, which would allow for persistent backdoor access. In addition, the company said it uncovered evidence of data exfiltration on impacted appliances.  

Two specific malware strains were highlighted by Barracuda during a post-mortem analysis of the incident. This included SALTWATER, a trojanized module for the Barracuda SMTP daemon that contains backdoor functionality.

SALTWATER enables threat actors to upload or download arbitrary files and execute commands, as well as proxy and tunneling capabilities, Barracuda said. 

Another type of malware, known as SEASPY, was also identified during the probe led by Barracuda and Mandiant. SEASPY contains backdoor functionality that is activated by a ‘magic pocket’, according to researchers.

“SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP),” the firm said. 

Barracuda engaging with affected customers

Barracuda insisted that no other products were affected by the vulnerability, including its SaaS email security services. 

The company added that customers potentially impacted by the incident have been notified via the ESG user interface, and the company has reached out to specific customers directly. 

Barracuda has around 200,000 customers globally. However, the exact number of those affected by the vulnerability has yet to be determined. 

ITPro approached Barracuda for comment on the matter, but hadn’t received a response at the time of publication.