Barracuda Network Discovers Abuse on Patched Zero-Day Vulnerability

Barracuda Networks customers may have been vulnerable to a cyberattack for a very long time.

The network and email security firm recently discovered that cybercriminals have been abusing a recently patched zero-day vulnerability for more than five months to steal data and drop off malware to customers' Email Security Gateway (ESG) appliances.

Barracuda advises customers to check their ESG appliances for any unusual behavior and to dispatch those that have been breached, per Bleeping Computer.

Hacker
Internet Hacking Photo Illustrations A hand on the keyboard is seen with binary code displayed on a laptop screen in this illustration photo taken in Krakow, Poland on August 17, 2021. (Photo by Jakub Porzycki/NurPhoto via Getty Images) Jakub Porzycki/NurPhoto via Getty Images

Barracuda Exploited Zero-day Vulnerability Details

Barracuda recently revealed that cybercriminals and bad actors have been abusing a critical zero-day vulnerability it patched around ten days ago for at least seven months to get around customers' ESG appliances.

According to the company, these bad actors have been exploiting this critical zero-day vulnerability, tracked as CVE-2023-2868, to install multiple malware inside large organization networks and steal data, per Ars Technica. While the exact date is unknown as of press time, Barracuda states in its report that bad actors have been exploiting the vulnerability since Oct. 2022, meaning that a significant number of customers may have fallen victim to their malware and data theft since then.

The vulnerability in question is a remote command injection vulnerability caused by incomplete input validation of user-supplied .tar files, which are used to pack or archive multiple files. When a bad actor formats a file name in a particular way, they can execute system commands through the QX operator, a function in the Perl programming language that handles quotation marks.

The company only became aware of the vulnerability on May 19, a day after a customer alerted it of suspicious traffic from ESG appliances and hired cybersecurity firm Mandiant to help with the vulnerability's investigation. It managed to patch the vulnerability from its system by May 20 based on Barracuda's report on the matter.

However, it was only through further investigation that ended on May 24 did it realize that bad actors had been actively installing multiple malware and stealing data from its customers.

Barracuda's Containment Plan

Barracuda mentioned it is deploying a series of security patches to all appliances as part of its containment strategy.

"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take," Barracuda said in a recent statement. "Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation."

The company identified more than a handful of malware that the bad actors installed during their time exploiting the vulnerability. These include packages tracked as Saltwater, Seaside, and Seaspy.

Saltwater is a malicious module that contains backdoor functionality that gives bad actors the ability to upload or download arbitrary files, execute commands, and provide proxy and tunneling capabilities through the vulnerability.

Meanwhile, Seaside is an x64 executable that provides a persistence backdoor that poses as a legitimate Barracuda Network service that stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. This malware is basically responsible for stealing data for bad actors to download.

Finally, Seaspy is a module that monitors commands, including SMTP HELO/EHLO to receive a command and control IP address and port to establish a reverse shell.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics