FBI confirms Barracuda patch is not effective for exploited ESG appliances

In an FBI Flash about a Barracuda ESG vulnerability, listed as CVE-2023-2868, the FBI has stated that the patches released by Barracuda in response to this CVE were ineffective for anyone previously infected. Although both Barracude and Mandiant have already made this determination, the agency says it has “independently verified” it.

As we explained in an earlier post, the zero-day vulnerability was reportedly used in targeted attacks for months before the patch was issued, by a group that allegedly has ties to China.

On May 23, 2023, Barracuda posted that “a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” The patch was followed by another on May 21, and users with impacted appliances were reportedly “notified via the ESG user interface of actions to take.”

On June 6, 2023, Barracuda sent out an action notice informing customers that impacted ESG appliances must be replaced immediately, signaling that patching alone would not suffice on an already-infected device.

Compromised ESG appliances must be immediately replaced regardless of patch version level. Only a subset of ESG appliances have shown any known indicators of compromise, and are identified by a message in the appliance User Interface.

On July 28, the company explained that SUBMARINE malware was found on infected devices that had been patched

This additional malware was utilized by the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG appliances. This malware appeared on a very small number of already compromised ESG appliances.

In a blog post today, Mandiant confirmed that the patches appear to be effective, saying that since Barracuda released its patches, “Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances.” The company goes on to reiterate that compromised organizations should replace their appliances:

…a limited number of previously impacted victims remain at risk due to this campaign … Mandiant’s recommendations remain unchanged — victims impacted by this campaign should contact Barracuda support and replace the compromised appliance.

The FBI has now independently verified the same findings.

the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.

The flaw in Barracuda’s appliance is a remote command injection vulnerability which exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability stems from incomplete input validation of file names contained in .tar file attachments. As a consequence, a remote attacker could specifically format these file names in a way that results in remotely executing a system command through Perl’s qx operator, with the privileges of the Email Security Gateway product.

According to the FBI, the cybercriminals utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration.

The Cybersecurity and Infrastructure Security Agency (CISA) has published four malware analysis reports based on malware variants associated with the exploitation of this vulnerability in Barracuda ESG appliances.

The CISA reports address:

In these reports and the FBI Flash you can find a host of Indicators of Compromise that are certainly worth pursuing if you have or had the Barracuda ESG appliance in your environment between October 2022 and now.

The FBI recommends that customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices. Investigation steps may include:

  • Review email logs to identify the initial point of exposure
  • Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise
  • Revoke and reissue all certificates that were on the ESG at the time of compromise
  • Monitor entire network for the use of credentials that were on the ESG at the time of compromise
  • Review network logs for signs of data exfiltration and lateral movement
  • Capture forensic image of the appliance and conduct a forensic analysis