According to reports, hackers have been exploiting a zero-day vulnerability in a Barracuda Networks product for several months to target countless organizations with numerous pieces of malware.
The company said it patched a critical vulnerability tracked as CVE-2023-2868 that has been exploited by cybercriminals since October 2022. The email software in question is called the Barracuda Email Security Gateway (ESG) and is present in versions from 5.1.3.001 to 9.2.0.006 being vulnerable.
“Users whose devices we believe have been compromised have been notified via the ESG UI of the action to take,” the company said in security consultancy. “Barracuda also contacted these specific customers. Additional customers may be identified during the investigation.”
Three Malware Families
So far, Barracuda claims to have detected three families of malware distributed via zero-day: Saltwater, Seaside, and Seaspy.
The former allows cybercriminals to download and upload files and run commands, among other things. Seaside is a persistent backdoor while the latter is used to receive the IP address and port C2 to establish a reverse shell.
To make sure your organization is secure, follow these steps:
- Update your ESG device and make sure it is updated regularly
- Stop using your infected ESG device
- Change the credentials of your ESG devices whenever possible, including any connected LDAP/AD, Barracuda Cloud Control, FTP server, SMB, and any private TLS certificates.
- The company also invites any customers who believe they may have been targeted to contact support at email@example.com.
Finally, organizations should review their network logs and look for possible signs of a security breach or unknown IP addresses.
According to the National Vulnerability Database, the vulnerability is a remote command injection vulnerability that arises when a device is unable to comprehensively clean up the processing of .tar files (tape archives). In other words, formatting filenames in a certain way allows attackers to execute system commands.