Barracuda discloses zero-day vulnerability

Home / Threat Intelligence bulletins / Barracuda discloses zero-day vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Barracuda Networks disclosed a zero-day security vulnerability, tracked as CVE-2023-2868 (CVSSv3 Score 9.4 – Critical). The vulnerability has been exploited against Barracuda Email Security Gateway (ESG) appliance clients. At the time of writing, the vulnerability is known to exist within a module which screens the attachments of incoming emails.

CVE-2023-2868 pertains to a remote command injection flaw that has emerged as a result of a failure to comprehensively sanitise the processing of ‘.tar’ files.

As of the time of writing, Barracuda has reached out to impacted users with a set of recommended actions.

Update: 10th August 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that the recently discovered Barracuda Email Security Gateway (ESG) security flaw, tracked as CVE-2023-2868, is now being targeted by a backdoor malware strain, named Whirlpool. Threat actors have been utilising the backdoor to provide reverse shell capabilities for additional malware strains. 

Update: 31st May 2023

The recently disclosed Barracuda vulnerability, tracked as CVE-2023-2868, has been reported to have been exploited since October 2022, to deploy three malware variants:

– ‘SALTWATER’: A ‘trojanized’ Barracuda SMTP module which has backdoor functionality. The malware can upload or download arbitrary files and execute commands

– ‘SEASPY’: An x64 ELF backdoor that masquerades as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP)

– ‘SEASIDE’: A Lua based Barracuda SMTP module that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port.

Barracuda Networks conducted an investigation into the original vulnerability and have since disclosed the Indicators of Compromise (IoCs) as well as additional findings within their investigation report

Update: 15th June 2023

Exploitation of the recently disclosed Barracuda vulnerability, tracked as CVE-2023-2868, has been attributed to the threat actor named UNC4841. The associated attack campaign has been dated back to 22nd October 2022.

The threat actor group initiated these attacks via the delivery of malicious emails containing ‘.tar’ file attachments. Upon the Barracuda Email Security Gateway (ESG) scanning these files, the attachments exploit the vulnerability to allow for remote code execution capabilities on target devices.

Update: 1st August 2023

The Chinese threat actor group, named ‘UNC4841’, has deployed the Submarine backdoor malware to exploit the previously disclosed Barracuda zero-day vulnerability, tracked as CVE-2023-2868.

Impact

Successful exploitation of CVE-2023-2868 has resulted in threat actors gaining unauthorised access to email gateway appliances. As the vulnerability originates via an incomplete input validation of a user-supplied ‘.tar’ file, this could allow a remote threat actor to specifically format these files in a manner that could result in remotely executing a system command through Perl’s qx operator, with the privileges of the ESG product.

Affected Products

– Barracuda Email Security Gateway appliances

Containment, Mitigations & Remediations

Barracuda has investigated the issue pertaining to the ESG product. This issue was remediated as part of the BNSF-36456 patch, which was automatically applied to all client appliances.

As an additional security measure, it is strongly recommended that impacted organisations inspect their environment to ensure that threat actors have not pivoted laterally to additional systems on the network.

Update: 31st May 2023

It is strongly recommended that users adhere to the following mitigation steps to prevent exploitation:

– Ensure that the ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support ([email protected]) to verify whether or not the appliance is up to date

– Discontinue the use of the compromised ESG appliance and contact Barracuda support ([email protected]) to obtain a new ESG virtual or hardware appliance

– Rotate any of the following applicable credentials connected to the ESG appliance:

– Any connected LDAP/AD

– Barracuda Cloud Control

– FTP Server

– SMB

– Any private TLS certificates

– Review network logs for any of the IoCs listed below.

On the 6th of June 2023, Barracuda released an updated advisory stating that any impacted ESG appliances must be replaced immediately, regardless of what patch version has been applied. 

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Update: 31st May 2023

SALTWATER Associated File Hashes (MD5):

– 827d507aa3bde0ef903ca5dec60cdec8

– 1fea55b7c9d13d822a64b2370d015da7

– 64c690f175a2d2fe38d3d7c0d0ddbb6e

– 4cd0f3219e98ac2e9021b06af70ed643

SEASPY associated file hashes (MD5):

– 82eaf69de710abdc5dea7cd5cb56cf04

– e80a85250263d58cc1a1dc39d6cf3942

– 5d6cba7909980a7b424b133fbac634ac

– 1bbb32610599d70397adfdaf56109ff3

– 4b511567cfa8dbaa32e11baf3268f074

– a08a99e5224e1baf569fda816c991045

– 19ebfe05040a8508467f9415c8378f32

SEASIDE associated file hashes (MD5):

– cd2813f0260d63ad5adf0446253c2172

Miscellaneous file hashes (MD5):

– 2ccb9759800154de817bf779a52d48f8 – TAR Package

– f5ab04a920302931a8bd063f27b745cc – Bash Script

– 881b7846f8384c12c7481b23011d8e45 – Bash Script

– 177add288b289d43236d2dba33e65956 – Reverse Shell

IP address indicators:

– 64[.]176[.]7[.]59

– 64[.]176[.]4[.]234

– 52[.]23[.]241[.]105

– 23[.]224[.]42[.]5

– 192[.]74[.]254[.]229

– 192[.]74[.]226[.]142

– 155[.]94[.]160[.]72

– 139[.]84[.]227[.]9

– 137[.]175[.]60[.]253

– 137[.]175[.]53[.]170

– 137[.]175[.]51[.]147

– 137[.]175[.]30[.]36

– 137[.]175[.]28[.]251

– 137[.]175[.]19[.]25

– 107[.]148[.]219[.]227

– 107[.]148[.]219[.]55

– 107[.]148[.]219[.]54

– 107[.]148[.]219[.]53

– 107[.]148[.]219[.]227

– 107[.]148[.]149[.]156

– 104[.]223[.]20[.]222

– 103[.]93[.]78[.]142

– 103[.]27[.]108[.]62

Domain indicators:

– xxl17z[.]dnslog[.]cn

– mx01[.]bestfindthetruth[.]com

Update: 1st August 2023

UNC4841 associated file hashes (MD-5):

  • 85c5b6c408e4bdb87da6764a75008adf
  • 827d507aa3bde0ef903ca5dec60cdec8
  • cd2813f0260d63ad5adf0446253c2172
  • 0d67f50a0bf7a3a017784146ac41ada0
  • 4ca4f582418b2cc0626700511a6315c0
  • 82eaf69de710abdc5dea7cd5cb56cf04
  • 177add288b289d43236d2dba33e65956
  • 19ebfe05040a8508467f9415c8378f32
  • 1bbb32610599d70397adfdaf56109ff3
  • 1fea55b7c9d13d822a64b2370d015da7
  • 2ccb9759800154de817bf779a52d48f8
  • 4b511567cfa8dbaa32e11baf3268f074
  • 4cd0f3219e98ac2e9021b06af70ed643
  • 5d6cba7909980a7b424b133fbac634ac
  • 64c690f175a2d2fe38d3d7c0d0ddbb6e
  • 881b7846f8384c12c7481b23011d8e45
  • a08a99e5224e1baf569fda816c991045
  • e80a85250263d58cc1a1dc39d6cf3942
  • f5ab04a920302931a8bd063f27b745cc
  • 0245e7f9105253ecb30de301842e28e4

UNC4841 associated IP Addresses:

  • 23[.]224[.]42[.]29
  • 107[.]148[.]223[.]196
  • 198[.]2[.]254[.]219
  • 101[.]229[.]146[.]218
  • 103[.]146[.]179[.]101
  • 103[.]27[.]108[.]62
  • 103[.]77[.]192[.]13
  • 103[.]77[.]192[.]88
  • 103[.]93[.]78[.]142
  • 104[.]156[.]229[.]226
  • 104[.]223[.]20[.]222
  • 107[.]148[.]149[.]156
  • 107[.]148[.]219[.]227
  • 107[.]148[.]219[.]54
  • 107[.]148[.]219[.]55
  • 137[.]175[.]19[.]25
  • 137[.]175[.]28[.]251
  • 137[.]175[.]30[.]36
  • 137[.]175[.]51[.]147
  • 137[.]175[.]53[.]170

UNC4841 associated domains:

  • singnode[.]com
  • bestfindthetruth[.]com
  • fessionalwork[.]com
  • gesturefavour[.]com
  • goldenunder[.]com
  • singamofing[.]com
  • togetheroffway[.]com
  • troublendsef[.]com

Threat Landscape

Barracuda occupies a significant portion of the networking-hardware market share. Additionally, its security solutions are utilised by more than 200,000 organisations throughout the world, by high-profile companies including Mitsubishi, Samsung and Delta Airlines. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Barracuda products could emerge as a prime target. Due to the fact that such products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within these systems in an attempt to extract the sensitive information contained therein.

Update: 10th August 2023

The Chinese state affiliated threat actor group, tracked as UNC4841, has deployed the Whirlpool malware in aggressive cyber espionage campaigns that date back to October 2022. As of the time of writing, the campaign has impacted both private and public sector organisations throughout various industry sectors in 16 national regions. 

Due to the primary objective of Chinese-state sponsored threat actor groups relating to that of cyber espionage, it is highly likely that affiliated threat actor groups, such as UNC4841, will continue to engage in campaigns an exploit known security vulnerabilities, in an attempt to meet their politically driven goals. 

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Update: 15th June 2023

UNC4841 is a Chinese state-sponsored threat actor group that conducts cyber espionage campaigns. The group is highly responsive to defensive efforts, and they have been observed using spear-phishing emails and diversifying their persistence mechanisms to evade Indicator of Compromise (IoC)-based defences.

UNC4841 has targeted victims in multiple countries, including Taiwan, and has been linked to previous China-nexus espionage operations.

Based on recent trends, it is highly likely that UNC4841 will continue altering their tactics, techniques and procedures (TTPs) and modifying their toolkit to evade detection with regards to their cyber operations such as their exploitation of the Barracuda ESG zero-day vulnerability and subsequent data theft attacks.

Update: 1st August 2023

The threat actor UNC4841 is almost certainly a Chinese cyber espionage group and has been active since at least October 2022. The group has initiated an attack campaign involving the exploitation of the zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances to target public and private organisations worldwide. UNC4841 has developed custom malware payloads, such as Submarine (Depthcharge), Saltwater, Seaspy and Seaside, which they deploy to gain backdoor access, exfiltrate data, and deliver follow-on payloads. They have been detected to have targeted specific data of interest, conducting lateral movement, and scanning for specific email messages in target systems, all for the purposes of cyber espionage. Due to the group’s assessed ties with the Chinese government, it is almost certainly the case that cyber operations relating to the group are being conducted to progress the geopolitical objectives of the Chinese state.

Mitre Methodologies

Common Weakness Enumeration:

CWE-20 – Improper Input Validation

Further Information

Barracuda Advisory

Mandiant Report

CISA Advisory

Update: 10th August 2023

CISA Advisory

 

Intelligence Terminology Yardstick

(TIDC-0001)