Skip to main content
close search
site logo
Dive Brief

Barracuda ESG zero-day exploit still under way after patches fail

The FBI said users need to isolate and replace affected appliances as threat actors continue to target the remote command injection vulnerability.

Published Aug. 24, 2023
David Jones's headshot
Reporter
Fingers hover over a computer keyboard with numbers on a screen, against a shadowy backdrop.
jariyawat thinsandee via Getty Images

Dive Brief:

  • Hackers affiliated with the People’s Republic of China are still attempting to exploit a zero-day vulnerability in Barracuda Network’s Email Security Gateway appliances, the FBI said in an alert issued Wednesday.
  • Hackers can still exploit the patches for the vulnerability, CVE-2023-2868, which are ineffective, the FBI said. All affected appliances should be disconnected from the internet and replaced. 
  • The PRC-linked hackers have exploited the vulnerability to insert malicious payloads onto ESG devices and conduct multiple types of attacks, obtaining persistent access, scanning email, harvesting credentials and exfiltrating stored data.

Dive Insight:

The vulnerability is a remote command injection vulnerability that allows attackers to conduct unauthorized commands with the privileges of administrator on the devices, according to the FBI.

The hackers have crafted TAR file attachments and sent emails using .tar extensions as well as .jpg or .dat. The hackers have also employed counter-forensic techniques to hide their actions. 

In June, Barracuda urged customers to replace the compromised devices, as the vulnerability had been actively exploited since October. Repeated patches were not able to protect against the continued threat activity.

Barracuda has been working with Mandiant to respond to the attacks, and has not found any evidence of successful attacks after the release of the May 20 patch, according to Austin Larsen, senior incident response manager at Mandiant, a unit of Google Cloud.

“However, the threat actor deployed additional malware to devices that were already compromised and conducted additional post-exploitation activities,” Larsen said via email. 

Mandiant in June released research showing the hackers were involved in a broad, sophisticated espionage campaign. 

A limited number of victims who were previously impacted by the vulnerability failed to follow Barracuda’s guidance to replace their appliances and still face the risk of attack, according to Mandiant.  

The threat actor, which Mandiant identifies as UNC4841, “has shown a special interest in a subset of priority victims,” Larsen said.

The hackers have deployed additional malware, including a malware called Depthcharge, to maintain persistence in response to the remediation efforts, Larsen said.

The Cybersecurity and Infrastructure Security Agency earlier this month issued additional analysis of malware associated with the Barracuda attacks. 

The company on Wednesday said its guidance to customers remains consistent. Organizations that received a notification or have been contacted by a technical support representative from Barracuda should contact the vendor to replace the appliance.

The FBI is urging appliance customers to review email logs, revoke and reissue credentials used on the devices and review network logs for signs of exfiltration and lateral movement. 

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell