Update to Barracuda Exploit Reported Last Week: New Malware Strains and Patches

In a recent development to the Barracuda exploit reported last week, the company has revealed that its Email Security Gateway (ESG) appliances were targeted in an attack campaign exploiting a zero-day vulnerability, tracked as CVE-2023-2868. This flaw allowed unauthorised access to a subset of ESG appliances, leading to the deployment of three different malware strains: SALTWATER, SEASPY, and SEASIDE.

SALTWATER is a trojanised module capable of file manipulation, command execution, and malware tunneling. SEASPY, on the other hand, is an x64 ELF backdoor that overlaps with another publicly available backdoor called cd00r. The third strain, SEASIDE, is a Lua-based module for the Barracuda SMTP daemon, establishing communication with a Command and Control (C2) server.

The vulnerability, a command injection flaw, affected Barracuda ESG versions 5.1.3.001 to 9.2.0.006. Patches for the vulnerability were released on May 20 and May 21, and the Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, recommending patch application by June 16.

Barracuda has shared a list of endpoints and network indicators associated with the malware strains. Customers are advised to discontinue the use of compromised ESG appliances and obtain new ESG virtual or hardware appliances. This is a crucial step towards enhancing security and mitigating the risk of further exploits.

The recent exploit of Barracuda's ESG appliances underscores the importance of regular security updates and the need for robust cybersecurity measures. The company's swift response in patching the vulnerability and advising customers on remediation steps is commendable. However, organisations should remain vigilant and proactive in their cybersecurity efforts to prevent such incidents from occurring in the future.