The FBI has issued a warning to Barracuda customers regarding a zero-day attack targeting the vulnerable Email Security Gateway (ESG) appliance. This attack [1] [5] [6], carried out by Chinese hackers known as UNC4841, has compromised Barracuda email security appliances [2], even those that have been patched against the recently disclosed zero-day vulnerability (CVE-2023-2868) [2].
Description
The vulnerability in question allows for remote command injection and has been exploited by UNC4841 since October 2022. Despite Barracuda’s efforts to issue patches, the FBI has determined that these patches are ineffective, as threat actors continue to hack into the patched appliances. Consequently, all exploited ESG appliances [5], including those with patches [4] [5], remain at risk of compromise [1] [5].
The vulnerability enables adversaries to send malicious attachments [5], establishing a reverse shell and gaining persistent access to victims’ systems [5]. In addition to this zero-day vulnerability, a new form of malware called Submarine has been deployed on compromised appliances [2], providing persistent access [2] [5] [6].
To address this situation, the FBI advises Barracuda users to immediately remove the compromised devices from operation. Furthermore, Barracuda recommends replacing all hacked appliances [2], as continued malicious activity has been observed even after patches have been applied [2]. The FBI also suggests isolating and replacing compromised appliances, revoking and rotating credentials [3] [7], and monitoring networks for signs of compromise [7].
Conclusion
The impact of this zero-day attack and subsequent compromise of Barracuda email security appliances is significant, particularly in the public sector where data exfiltration has occurred. To mitigate the risk, it is crucial for users to take immediate action by unplugging the compromised devices and replacing them. Additionally, implementing the FBI’s recommended measures, such as isolating and replacing compromised appliances, revoking and rotating credentials [3] [7], and monitoring networks [1] [2] [3] [7], can help prevent further compromise and protect against future attacks.
References
[1] https://thehackernews.com/2023/08/urgent-fbi-warning-barracuda-email.html
[2] https://www.spamtitan.com/blog/chinese-hackers-compromising-patched-barracuda-email-security-appliances/
[3] https://www.infosecurity-magazine.com/news/barracuda-appliances-exploited/
[4] https://www.redpacketsecurity.com/fbi-warns-of-patched-barracuda-esg-appliances-still-being-hacked/
[5] https://www.scmagazine.com/news/fbi-unplug-exploited-barracuda-esg-appliances-now
[6] https://www.techtarget.com/searchSecurity/news/366549574/FBI-Suspected-Chinese-actors-continue-Barracuda-ESG-attacks
[7] https://www.jsplaces.com/security-affairs/25/08/2023/fbi-patches-for-barracuda-esg-zero-day-cve-2023-2868-are-ineffective/
