FBI Alert: Barracuda ESG Appliances Remain Vulnerable Despite Patch Efforts

The Federal Bureau of Investigation (FBI) has issued a warning regarding the ongoing vulnerability of Barracuda Email Security Gateway (ESG) appliances, even after patches were released to address a critical remote command injection flaw.

The agency stated that the patches provided by Barracuda have proven to be ‘ineffective,’ as attackers continue to compromise patched appliances.

Identified as CVE-2023-2868, this vulnerability was initially exploited in October 2022, enabling unauthorized access to ESG appliances and facilitating data exfiltration from the compromised systems.

The attackers introduced previously undiscovered malware strains, namely SeaSpy and Saltwater, along with a malicious tool named SeaSide, enabling the establishment of reverse shells for remote access.

Subsequently, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed additional insights about the Submariner and Whirlpool malware, which were utilized in the same attack campaigns. CISA listed this bug among the actively exploited vulnerabilities on May 27, prompting federal agencies to scrutinize their networks for signs of unauthorized access.

Although Barracuda promptly applied remote patches to all appliances and revoked the attackers’ access to breached devices on May 20—just a day after identifying the vulnerability—it issued a warning to all customers on June 7, urging them to replace affected appliances immediately. This action was likely taken due to the uncertainty surrounding the complete removal of malware introduced during the attacks.

Mandiant later connected the data theft scheme that targeted Barracuda ESG appliances using CVE-2023-2868 exploits to UNC4841, a suspected hacking group with ties to China.

The FBI has reinforced Barracuda’s advisory, emphasizing the urgent need for customers to isolate and replace compromised appliances. It stressed that Chinese hackers are actively exploiting the vulnerability, and even patched devices remain susceptible due to the ‘ineffective’ nature of the patches. The FBI stated, ‘The patches released by Barracuda in response to this CVE were ineffective.

The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit. The FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.’

Furthermore, the FBI recommended that Barracuda customers thoroughly investigate their networks for potential additional breaches. This can be achieved by scanning for outbound connections to IP addresses listed as indicators of compromise (IOCs) in the advisory.

Users who utilized enterprise-privileged credentials with their Barracuda appliances, such as Active Directory Domain Admin, were strongly advised to revoke and update these credentials to disrupt the attackers’ persistence within the network.

Barracuda serves more than 200,000 organizations worldwide with its security products, including renowned companies like Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz.