The Federal Bureau of Investigation (FBI) has warned that Barracuda Email Security Gateway (ESG) appliances continue to be compromised by suspected Chinese state-sponsored cyber actors. These threat actors are exploiting CVE-2023-2868, despite Barracuda pushing out a patch for affected devices in May 2023. The FBI is strongly urging ESG users isolate and replace the appliance while scanning for additional indications of compromise on their networks.
Exploitation of CVE-2023-2868 was first observed in October 2022 when it was used to deploy previously unknown malware (SeaSpy, SaltWater, and SeaSide). The Cybersecurity and Infrastructure Security Agency (CISA) later discovered another backdoor (dubbed Submarine) while analyzing compromised ESG appliances belonging to federal agencies.
Source: Bleeping Computer
Analysis
In July 2023, Barracuda advised that, despite affecting an apparently limited number of ESG appliances, it could not be certain that patching previously affected devices would be enough to eradicate the novel malware deployed by PRC hackers. Based on the FBI’s statement, however, it seems the problem is far more widespread, affecting all ESG appliances regardless of their patching status.
ESG appliances are likely to remain targets as long as they remain vulnerable. Barracuda will likely opt to avoid the cost of replacing every ESG appliance by instead developing and rolling out a more effective patch as soon as possible.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in software such as Barracuda ESG. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that organizations review the advisory issued by Barracuda and follow the mitigations steps included therein.
References
