Barracuda Networks customers may have been vulnerable to a cyberattack for a very long time.
The network and email security firm recently discovered that cybercriminals have been abusing a recently patched zero-day vulnerability for more than five months to steal data and drop off malware to customers' Email Security Gateway (ESG) appliances.
Barracuda advises customers to check their ESG appliances for any unusual behavior and to dispatch those that have been breached, per Bleeping Computer.
Barracuda Exploited Zero-day Vulnerability Details
Barracuda recently revealed that cybercriminals and bad actors have been abusing a critical zero-day vulnerability it patched around ten days ago for at least seven months to get around customers' ESG appliances.
According to the company, these bad actors have been exploiting this critical zero-day vulnerability, tracked as CVE-2023-2868, to install multiple malware inside large organization networks and steal data, per Ars Technica. While the exact date is unknown as of press time, Barracuda states in its report that bad actors have been exploiting the vulnerability since Oct. 2022, meaning that a significant number of customers may have fallen victim to their malware and data theft since then.
The vulnerability in question is a remote command injection vulnerability caused by incomplete input validation of user-supplied .tar files, which are used to pack or archive multiple files. When a bad actor formats a file name in a particular way, they can execute system commands through the QX operator, a function in the Perl programming language that handles quotation marks.
The company only became aware of the vulnerability on May 19, a day after a customer alerted it of suspicious traffic from ESG appliances and hired cybersecurity firm Mandiant to help with the vulnerability's investigation. It managed to patch the vulnerability from its system by May 20 based on Barracuda's report on the matter.
However, it was only through further investigation that ended on May 24 did it realize that bad actors had been actively installing multiple malware and stealing data from its customers.
Barracuda's Containment Plan
Barracuda mentioned it is deploying a series of security patches to all appliances as part of its containment strategy.
"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take," Barracuda said in a recent statement. "Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation."
The company identified more than a handful of malware that the bad actors installed during their time exploiting the vulnerability. These include packages tracked as Saltwater, Seaside, and Seaspy.
Saltwater is a malicious module that contains backdoor functionality that gives bad actors the ability to upload or download arbitrary files, execute commands, and provide proxy and tunneling capabilities through the vulnerability.
Meanwhile, Seaside is an x64 executable that provides a persistence backdoor that poses as a legitimate Barracuda Network service that stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. This malware is basically responsible for stealing data for bad actors to download.
Finally, Seaspy is a module that monitors commands, including SMTP HELO/EHLO to receive a command and control IP address and port to establish a reverse shell.
Related Article : Google Play App Starts Recording Users Through Mic After Update