The U.S. Federal Bureau of Investigation (FBI) has issued a stark warning regarding Barracuda Networks Email Security Gateway (ESG) appliances, cautioning that even with the latest patches, they remain vulnerable to potential compromise by suspected Chinese hacking groups.
According to the FBI, the patches released to address the recently disclosed critical flaw in Barracuda ESG appliances are deemed “ineffective.” The agency has observed ongoing intrusions, deeming all affected Barracuda ESG appliances compromised and vulnerable to exploitation.
Tracked as CVE-2023-2868 with a CVSS score of 9.8, this zero-day vulnerability has been weaponized as early as October 2022, months before it was officially patched. Google-owned Mandiant is tracking the activities of the China-nexus group UNC4841 associated with exploiting this flaw.
The vulnerability, impacting versions 5.1.3.001 through 9.2.0.006, allows for unauthorized execution of system commands with administrator privileges on the ESG product.
Successful breaches have led to the deployment of multiple malware strains like SALTWATER, SEASIDE, and others, facilitating arbitrary command execution and evading defense mechanisms.
Cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance, enabling persistent access, email scanning, credential harvesting, and data exfiltration.
UNC4841, characterized as both aggressive and skilled, demonstrates sophistication in their operations, swiftly adapting custom tools to maintain access to high-priority targets.
The FBI strongly advises isolating and replacing all affected ESG devices immediately and conducting network scans for suspicious outgoing traffic.
In response to the zero-day vulnerability (CVE-2023-2868) discovered in Barracuda Networks Email Security Gateway (ESG) appliances, significant concern has arisen.
CVE-2023-2868, a remote command injection vulnerability affecting Barracuda ESG appliances in versions 5.1.3.001-9.2.0.006, allows unauthorized execution of system commands with administrator privileges.
Exploitation occurs during email attachment screening, where cyber actors format TAR file attachments to trigger command injection, granting access to execute commands within the ESG.
Suspected PRC cyber actors began exploiting this vulnerability in October 2022, initially using “.tar” extensions in malicious attachments, evolving to different formats like “.jpg” or “.dat.”
Following compromise, actors injected malicious payloads to maintain access, scan emails, harvest credentials, and exfiltrate data, demonstrating advanced techniques in counter-forensics.
Despite patches, exploited ESG appliances remain vulnerable. The FBI advises immediate isolation and replacement of affected devices and network scans for indicators of compromise.
The FBI released a list of domains and IP addresses associated with malicious activities, urging vigilance and thorough investigation to mitigate risks effectively.