Fishy Zero Day Exploits
The Cybersecurity and Infrastructure Security Agency (CISA) maintains a regularly updated list of Known Exploited Vulnerabilities (KEV) in order to provide a better understanding of threats posed by software vulnerabilities that are actively exploited “in the wild.”
Recently, the agency issued a warning about a zero-day vulnerability found in Barracuda Email Security Gateway (ESG) appliances, denoted as CVE-2023-2868, which has now been added to the KEV.
This particular software solution is used by more than 200,000 organizations worldwide, including very large companies such as Samsung, Mitsubishi, Kraft Heinz, and Delta Airlines. The zero-day exploit in question targeted Barracuda’s ESG appliances, leading to unauthorized access to a subset of these devices. Federal Civilian Executive Branch Agencies (FCEB) were initially directed to patch or mitigate the vulnerability, but Barracuda swiftly deployed two security patches rendering the directive unnecessary.
The flaw was officially identified on May 19, 2023, and Barracuda promptly responded by applying a security patch to all ESG appliances on May 20 and blocking the attackers’ access the following day. However, after analysis, the exploit was found to have been used as early as October 2022 and had been actively abused for at least seven months before the patches were deployed. Barracuda’s investigation discovered that threat actors had installed backdoors on compromised ESG appliances and had managed to steal data.
The exploit resulted in the deployment of several previously unknown malware strains, specifically designed to be used on compromised ESG appliances.
Saltwater, for example, is a malicious Barracuda SMTP daemon (bsmtpd) module that provides attackers with backdoor access to infected appliances. Another strain deployed during this campaign, SeaSpy, helps monitor port 25 (SMTP) traffic. The threat actors also used a bsmtpd malicious module dubbed SeaSide to establish reverse shells via SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.
Despite the swift response from Barracuda and the subsequent patches deployed, this case underscores the inherent risks associated with software vulnerabilities. The time that elapses between the identification of a vulnerability and the deployment of a patch represents a window of opportunity for malicious actors. This period, in which a vulnerability might not be publicly known yet, allows for potential exploits to fly under the cybersecurity radar.
The specificity of the malware tools used, the tight coupling with ESG’s regular software, and how those tools managed to maintain operational integrity of ESG while adding malicious behavior are clear telltale signs of how long it took to develop, test, and deploy such tools, and clearly shows how long in advance the threat actors had to work on the vulnerability before it was publicly acknowledged.
To mitigate the risk of such attacks, CISA advises both federal agencies and private companies to prioritize patching the bugs on the KEV list. Customers are also advised to ensure that their ESG appliances are up to date, stop using breached appliances and request a new virtual or hardware appliance, rotate all credentials linked to hacked appliances, and check their network logs for Indicators of Compromise (IoCs) and connections from unknown IPs.
The Barracuda zero-day exploit underscores the complexity and ongoing challenges in managing software vulnerabilities. These vulnerabilities don’t simply come into existence the moment they’re published on a CVE tracker. They are analyzed, discussed, and probably spread between security researchers, development teams behind the software, security mailing lists, and other outlets before being “publicly” divulged. This creates a significant window of vulnerability where security software might not yet be protecting against or even detecting the threat, but where malicious actors can already be working on exploit code or even using it.