FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective
Raw Text
Malware & Threats
The FBI says that the patches Barracuda released in May for an exploited ESG zero-day vulnerability (CVE-2023-2868) were not effective.
By
Ionut Arghire
August 24, 2023
Flipboard Reddit Pinterest Whatsapp Whatsapp Email
The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”.
Impacting Barracuda ESG versions 5.1.3.001 to 9.2.0.006, the security defect, tracked as CVE-2023-2868, has been exploited as a zero-day since at least October 2022, and continues to be targeted in attacks. Barracuda released patches for the bug in late May 2023.
In June, Mandiant attributed the attacks targeting CVE-2023-2868 to a Chinese state-sponsored cyberespionage group tracked as UNC4841. Starting in July, CISA has published several analysis reports detailing the payloads and malware families used in the attacks.
Now, the FBI warns (PDF) that the flaw is still being targeted in the wild, and that even ESG appliances running the patches released by Barracuda “remain at risk for continued computer network compromise from suspected [Chinese] cyber actors exploiting this vulnerability”.
“The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” the agency notes.
Because the vulnerability impacts the email scanning functionality of Barracuda ESG, adversaries can exploit it by sending emails containing crafted TAR file attachments that would trigger a command injection in the context of the appliance.
As part of the observed attacks, the threat actors deployed various types of malware on the affected ESG appliances, allowing them to scan emails, harvest credentials, exfiltrate data, and maintain persistent access.
Advertisement. Scroll to continue reading.
In some cases, the FBI says, the adversaries leveraged the compromised ESG for lateral movement into the victim’s network, or to send malicious emails to other appliances.
“The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit,” the agency notes.
The FBI says that only scanning the appliance itself for indicators of compromise (IoCs) is not enough to identify potential intrusions and advises organizations to also scan for outgoing connections, review email logs, rotate credentials, revoke and reissue associated certificates, review network logs, and monitor the entire network for abnormal activity.
In an emailed comment, Mandiant CEO Kevin Mandia confirmed that UNC4841 has shifted tactics since the initial report on this activity.
“Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide,” Mandia said.
“These types of attacks underscore a major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations,” he added.
Related: Barracuda Urges Customers to Replace Hacked Email Security Appliances
Related: New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack
Related: Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies
Written By
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Digital Identity Protection Firm SpyCloud Raises $110 Million
Hosting Provider CloudNordic Loses All Customer Data in Ransomware Attack
FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
3,000 Openfire Servers Exposed to Attacks Targeting Recent Vulnerability
US Government Publishes Guidance on Migrating to Post-Quantum Cryptography
First Weekly Chrome Security Update Patches High-Severity Vulnerabilities
TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks
Latest News
Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks
Digital Identity Protection Firm SpyCloud Raises $110 Million
Traders Targeted by Cybercriminals in Attack Exploiting WinRAR Zero-Day
Hosting Provider CloudNordic Loses All Customer Data in Ransomware Attack
UK Court Concludes Teenager Behind Huge Hacking Campaign
Thoma Bravo Merges ForgeRock with Ping Identity
Smart Cities: Utopian Dream, Security Nightmare, or Political Gimmick?
Click to comment
Trending
Daily Briefing Newsletter
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Webinar Beyond VPN Replacement: Other ZTNA superpowers CISOs Should Know
Tuesday, August 22, 2023
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Register
Webinar: Scaling Software Supply Chain Security: Driving Actionable SBOM Management with the OpenSSF S2C2F OSS Specification
Thursday, September 7, 2023
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
Register
Expert Insights
The End of “Groundhog Day” for the Security in the Boardroom Discussion?
As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table. (Marc Solomon)
Email – The System Running Since 71’
Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured. (Matt Honea)
Managing and Securing Distributed Cloud Environments
The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories. (Joshua Goldfarb)
Automated Security Control Assessment: When Self-Awareness Matters
Automated Security Control Assessment enhances security posture by verifying proper, consistent configurations of security controls, rather than merely confirming their existence. (Torsten George)
Protection is No Longer Straightforward – Why More Cybersecurity Solutions Must Incorporate Context
Context helps complete the picture and results in actionable intelligence that security teams can use to make informed decisions more quickly. (Matt Wilson)
Flipboard Reddit Pinterest Whatsapp Whatsapp Email
Related Content
Cybercrime
Cyber Insights 2023 | Ransomware
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.
Kevin Townsend
February 2, 2023
Cybercrime
Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability
A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...
Eduard Kovacs
October 1, 2019
Cybercrime
Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation
No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.
Derek Manky
February 1, 2023
Malware & Threats
Microsoft OneNote Abuse for Malware Delivery Surges
Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.
Ionut Arghire
February 10, 2023
Malware & Threats
VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.
Eduard Kovacs
February 6, 2023
Cybercrime
Play Ransomware Group Used New Exploitation Method in Rackspace Attack
The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...
Eduard Kovacs
January 5, 2023
Application Security
VMware Patches VM Escape Flaw Exploited at Geekpwn Event
Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...
Ryan Naraine
December 13, 2022
Malware & Threats
Recently Patched IBM Aspera Faspex Vulnerability Exploited in the Wild
A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.
Eduard Kovacs
February 15, 2023
Single Line Text
Malware & Threats. The FBI says that the patches Barracuda released in May for an exploited ESG zero-day vulnerability (CVE-2023-2868) were not effective. By. Ionut Arghire. August 24, 2023. Flipboard Reddit Pinterest Whatsapp Whatsapp Email. The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”. Impacting Barracuda ESG versions 5.1.3.001 to 9.2.0.006, the security defect, tracked as CVE-2023-2868, has been exploited as a zero-day since at least October 2022, and continues to be targeted in attacks. Barracuda released patches for the bug in late May 2023. In June, Mandiant attributed the attacks targeting CVE-2023-2868 to a Chinese state-sponsored cyberespionage group tracked as UNC4841. Starting in July, CISA has published several analysis reports detailing the payloads and malware families used in the attacks. Now, the FBI warns (PDF) that the flaw is still being targeted in the wild, and that even ESG appliances running the patches released by Barracuda “remain at risk for continued computer network compromise from suspected [Chinese] cyber actors exploiting this vulnerability”. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” the agency notes. Because the vulnerability impacts the email scanning functionality of Barracuda ESG, adversaries can exploit it by sending emails containing crafted TAR file attachments that would trigger a command injection in the context of the appliance. As part of the observed attacks, the threat actors deployed various types of malware on the affected ESG appliances, allowing them to scan emails, harvest credentials, exfiltrate data, and maintain persistent access. Advertisement. Scroll to continue reading. In some cases, the FBI says, the adversaries leveraged the compromised ESG for lateral movement into the victim’s network, or to send malicious emails to other appliances. “The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit,” the agency notes. The FBI says that only scanning the appliance itself for indicators of compromise (IoCs) is not enough to identify potential intrusions and advises organizations to also scan for outgoing connections, review email logs, rotate credentials, revoke and reissue associated certificates, review network logs, and monitor the entire network for abnormal activity. In an emailed comment, Mandiant CEO Kevin Mandia confirmed that UNC4841 has shifted tactics since the initial report on this activity. “Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868. This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide,” Mandia said. “These types of attacks underscore a major shift in tradecraft from China-nexus threat actors, especially as they become more selective in their follow-on espionage operations,” he added. Related: Barracuda Urges Customers to Replace Hacked Email Security Appliances. Related: New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack. Related: Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies. Written By. Ionut Arghire. Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire. Digital Identity Protection Firm SpyCloud Raises $110 Million. Hosting Provider CloudNordic Loses All Customer Data in Ransomware Attack. FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers. 3,000 Openfire Servers Exposed to Attacks Targeting Recent Vulnerability. US Government Publishes Guidance on Migrating to Post-Quantum Cryptography. First Weekly Chrome Security Update Patches High-Severity Vulnerabilities. TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks. Latest News. Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks. Digital Identity Protection Firm SpyCloud Raises $110 Million. Traders Targeted by Cybercriminals in Attack Exploiting WinRAR Zero-Day. Hosting Provider CloudNordic Loses All Customer Data in Ransomware Attack. UK Court Concludes Teenager Behind Huge Hacking Campaign. Thoma Bravo Merges ForgeRock with Ping Identity. Smart Cities: Utopian Dream, Security Nightmare, or Political Gimmick? Click to comment. Trending. Daily Briefing Newsletter. Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar Beyond VPN Replacement: Other ZTNA superpowers CISOs Should Know. Tuesday, August 22, 2023. Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business. Register. Webinar: Scaling Software Supply Chain Security: Driving Actionable SBOM Management with the OpenSSF S2C2F OSS Specification. Thursday, September 7, 2023. Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain. Register. Expert Insights. The End of “Groundhog Day” for the Security in the Boardroom Discussion? As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table. (Marc Solomon) Email – The System Running Since 71’ Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured. (Matt Honea) Managing and Securing Distributed Cloud Environments. The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories. (Joshua Goldfarb) Automated Security Control Assessment: When Self-Awareness Matters. Automated Security Control Assessment enhances security posture by verifying proper, consistent configurations of security controls, rather than merely confirming their existence. (Torsten George) Protection is No Longer Straightforward – Why More Cybersecurity Solutions Must Incorporate Context. Context helps complete the picture and results in actionable intelligence that security teams can use to make informed decisions more quickly. (Matt Wilson) Flipboard Reddit Pinterest Whatsapp Whatsapp Email. Related Content. Cybercrime. Cyber Insights 2023 | Ransomware. The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions. Kevin Townsend. February 2, 2023. Cybercrime. Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability. A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the... Eduard Kovacs. October 1, 2019. Cybercrime. Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation. No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base. Derek Manky. February 1, 2023. Malware & Threats. Microsoft OneNote Abuse for Malware Delivery Surges. Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns. Ionut Arghire. February 10, 2023. Malware & Threats. VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability. Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021. Eduard Kovacs. February 6, 2023. Cybercrime. Play Ransomware Group Used New Exploitation Method in Rackspace Attack. The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this... Eduard Kovacs. January 5, 2023. Application Security. VMware Patches VM Escape Flaw Exploited at Geekpwn Event. Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine... Ryan Naraine. December 13, 2022. Malware & Threats. Recently Patched IBM Aspera Faspex Vulnerability Exploited in the Wild. A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks. Eduard Kovacs. February 15, 2023.