Skip to content

Critical Barracuda 0-day was used for backdoor networking for 8 months

    A stylized skull and crossbones made of ones and zeros.

    A critical vulnerability patched 10 days ago in widely used email software from IT security firm Barracuda Networks has been actively exploited since October. The vulnerability has been used to install multiple pieces of malware across large organizational networks and steal data, Barracuda said Tuesday.

    The software bug, tracked as CVE-2023-2868, is a remote command injection vulnerability that stems from incomplete input validation of user-supplied .tar files, which are used to pack or archive multiple files. When file names are formatted in a certain way, an attacker can execute system commands through the QX operator, a function in the Perl programming language that handles quotation marks. The vulnerability is present in Barracuda Email Security Gateway versions 5.1.3.001 through 9.2.0.006; Barracuda released a patch 10 days ago.

    On Tuesday, Barracuda informed customers that CVE-2023-2868 has been actively exploited since October in attacks where attackers could install multiple pieces of malware to exfiltrate sensitive data from infected networks.

    “Users whose devices we believe have been affected have been notified through the ESG UI of actions to take,” Tuesday’s post said. “Barracuda has also reached out to these specific customers. More customers may be identified in the course of the investigation.”

    Malware identified so far includes packages tracked as Saltwater, Seaside, and Seaspy. Saltwater is a malicious module for the SMTP daemon (bsmtpd) that uses the Barracuda ESG. The module includes backdoor functionality that provides the ability to upload or download arbitrary files, run commands, and provide proxy and tunneling capabilities.

    Seaside is an x64 executable file in ELF (executable and mountable format), which stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. It provides a persistent backdoor that masquerades as a legitimate Barracuda Networks service and establishes itself as a PCAP filter for capturing data packets flowing through a network and performing various operations. Seaside checks tracking on port 25, which is used for SMTP-based email.

    It can be activated using a “magic package” known only to the attacker, but appears harmless to everyone else. Mandiant, the security firm that hired Barracuda to investigate the attacks, said it found code in Seaspy that overlapped with the publicly available cd00r backdoor.

    Seaside, meanwhile, is a module for the Barracuda SMTP daemon (bsmtpd) that monitors commands, including SMTP HELO/EHLO to receive a command and control IP address and port to establish a reverse shell .

    Tuesday’s post contains cryptographic hashes, IP addresses, file locations and other indicators of an attack related to the exploitation of CVE-2023-2868 and installation of the malware. Company officials also urged all affected customers to take the following actions:

    1. Ensure your ESG appliance receives and applies updates, definitions and security patches from Barracuda. Contact Barracuda Support ([email protected]) to verify that the device is up to date.
    2. Stop using the compromised ESG appliance and contact Barracuda Support ([email protected]) to obtain a new ESG virtual or hardware appliance.
    3. Rotate all applicable credentials connected to the ESG device:
      o Any connected LDAP/AD
      o Barracuda Cloud control
      o FTP server
      o SMEs
      o All private TLS certificates
    4. Check your network logs for any of the [indicators of compromise] and any unknown IPs. If one is identified, please contact [email protected].

    The Cybersecurity and Infrastructure Security Agency added CVE-2023-2868 to its list of known exploited vulnerabilities on Friday.