Important Barracuda 0-day was used to backdoor networks for 8 months

Important Barracuda 0-day was used to backdoor networks for 8 months


A stylized skull and crossbones made out of ones and zeroes.

A vital vulnerability patched 10 days in the past in extensively used e mail software program from IT safety firm Barracuda Networks has been underneath energetic exploitation since October. The vulnerability has been used to put in a number of items of malware inside giant group networks and steal knowledge, Barracuda mentioned Tuesday.

The software program bug, tracked as CVE-2023-2868, is a distant command injection vulnerability that stems from incomplete enter validation of user-supplied .tar recordsdata, that are used to pack or archive a number of recordsdata. When file names are formatted in a specific manner, an attacker can execute system instructions by means of the QX operator, a perform within the Perl programming language that handles citation marks. The vulnerability is current within the Barracuda Electronic mail Safety Gateway variations by means of; Barracuda issued a patch 10 days in the past.

On Tuesday, Barracuda notified clients that CVE-2023-2868 has been underneath energetic exploitation since October in assaults that allowed menace actors to put in a number of items of malware to be used in exfiltrating delicate knowledge out of contaminated networks.

“Customers whose home equipment we consider have been impacted have been notified through the ESG person interface of actions to take,” Tuesday’s discover said. “Barracuda has additionally reached out to those particular clients. Extra clients could also be recognized in the middle of the investigation.”

Malware recognized to this point contains packages tracked as Saltwater, Seaside, and Seaspy. Saltwater is a malicious module for the SMTP daemon (bsmtpd) that the Barracuda ESG makes use of. The module incorporates backdoor performance that features the flexibility to add or obtain arbitrary recordsdata, execute instructions, and supply proxy and tunneling capabilities.

Seaside is an x64 executable in ELF (executable and linkable format), which shops binaries, libraries, and core dumps on disks in Linux and Unix-based methods. It gives a persistence backdoor that poses as a reputable Barracuda Networks service and establishes itself as a PCAP filter for capturing knowledge packets flowing by means of a community and performing varied operations. Seaside displays monitoring on port 25, which is used for SMTP-based e mail.

It may be activated utilizing a “magic packet” that’s recognized solely to the attacker however seems innocuous to all others. Mandiant, the safety agency Barracuda employed to analyze the assaults, mentioned it discovered code in Seaspy that overlaps with the publicly accessible cd00r backdoor.

Seaside, in the meantime, is a module for the Barracuda SMTP daemon (bsmtpd) that displays instructions, together with SMTP HELO/EHLO to obtain a command and management IP deal with and port to determine a reverse shell.

Tuesday’s discover contains cryptographic hashes, IP addresses, file places, and different indicators of compromise related to the exploit of CVE-2023-2868 and the set up of the malware. Firm officers additionally urged all impacted clients to take the next actions:

  1. Guarantee your ESG equipment is receiving and making use of updates, definitions, and safety patches from Barracuda. Contact Barracuda assist ( to validate if the equipment is updated.
  2. Discontinue the usage of the compromised ESG equipment and call Barracuda assist ( to acquire a brand new ESG digital or {hardware} equipment.
  3. Rotate any relevant credentials related to the ESG equipment:
    o  Any related LDAP/AD
    o  Barracuda Cloud Management
    o  FTP Server
    o  SMB
    o  Any personal TLS certificates
  4. Evaluation your community logs for any of the [indicators of compromise] and any unknown IPs. Contact if any are recognized.

The Cybersecurity and Infrastructure Safety Company added CVE-2023-2868 to its checklist of recognized exploited vulnerabilities on Friday.


Leave a Reply

Back To Top
Theme Mode