Since last October, hackers have been exploiting a vulnerability in Barracuda’s email security gateway. The vulnerability allowed a third-party intruder to exploit the backdoor feature to deploy malicious programs on the systems of some Barracuda users, including Saltwater, Seaspy and Seaside.
Barracuda released the details of the CVE-2023-2868 exploit for the 0-day vulnerability this Tuesday (5/30). Since October last year, hackers have exploited this vulnerability to deploy various malicious programs on the compromised system. Barracuda also provides Indicators of Endpoint Device Network Intrusion (IOC) for identifying attacks for user reference. Taken place in the Barracuda Email Security Gateway application, the product is used by 200,000 public and private organizations worldwide, including large enterprises such as Samsung, Mitsubishi, Kraft Heinz, Delta Airlines, and government agencies.
According to the investigation, the malicious programs deployed by the hackers include Saltwater with backdoor capabilities, Seaspy disguised as a legitimate Barracuda Networks service, and Seaside, written in the Lua language. These programs can upload or download files, execute commands, and have proxy and tunneling capabilities.
Barracuda has proactively notified compromised users and provided recommendations. They advise users to ensure that the email security gateway has deployed the latest security updates, stop using the affected devices, contact Barracuda for a new ESG virtual or hardware appliance, and update any credentials connected to the gateway. Although the attack began in October last year, Barracuda did not detect the unusual traffic until May 18 this year and immediately requested security agency Mandiant to investigate and fix it. Barracuda is also planning a series of patching strategies to enhance the security of its devices.