www.barracuda.com
Open in
urlscan Pro
20.26.48.74
Public Scan
URL:
https://www.barracuda.com/company/legal/esg-vulnerability
Submission: On January 04 via api from IN — Scanned from GB
Submission: On January 04 via api from IN — Scanned from GB
Form analysis 2 forms found in the DOM
GET
<form class="cmp-header__mobile__search-form" accept-charset="utf-8" method="GET">
<input class="cmp-header__mobile__search-form__input addsearch addsearch-written" type="text" data-analytics-id="search" autocomplete="off" size="20" name="addsearch" title="search" data-addsearch-field="true" id="mobile-search-input"
aria-label="Search field" style="cursor: auto;">
</form>GET
<form accept-charset="utf-8" class="cmp-header__top-menu__search-form" data-cmp-hook-header="desktopSearchForm" method="GET">
<input type="text" data-analytics-id="search" autocomplete="off" size="20" data-cmp-hook-header="desktopSearchInput" class="cmp-header__top-menu__search-form__input addsearch addsearch-written" name="addsearch" title="search"
data-addsearch-field="true" id="desktop-search-input" aria-label="Search field" style="cursor: auto;">
</form>Text Content
Introducing Barracuda SecureEdge, enterprise-grade SASE for your business
MENU
HOME X
PRODUCTS SOLUTIONS SUPPORT PARTNERS COMPANY
Build your Ransomware Protection
Languages
CYBERSECURITY PLATFORM EMAIL PROTECTION APPLICATION PROTECTION NETWORK
PROTECTION DATA PROTECTION MANAGED XDR
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
FEATURED SOLUTIONS INDUSTRIES DEPLOYMENTS TECHNOLOGIES
Build your Ransomware Protection
SERVICES TECHNICAL INFORMATION QUICK LINKS
Contact Support Downloads Product Login Customer Support Login
EXISTING PARTNERS BECOME A PARTNER FIND A PARTNER
Partner Portal Login Become a Partner
WHO WE ARE NEWS AND EVENTS LEGAL
Contact Us
English
Deutsch
Français
日本語
The Barracuda Cybersecurity Platform
Cyberattacks can come from anywhere. Barracuda protects you everywhere. Stop
modern attacks whether they hit your email, applications, network, or data.
* Explore the Platform
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Email Protection
Complete security that stops all 13 email threat types and protects Microsoft
365 data. Get started in minutes.
* THREAT PREVENTION
* Spam, Malware, and Advanced Threat Protection
* Phishing and Impersonation Protection
* Account Takeover Protection
* Domain Fraud Protection
* Web Security
* Zero Trust Access for Microsoft 365
* Free Email Threat Scan
* POST-DELIVERY DETECTION AND RESPONSE
* Incident Response
* Security Awareness Training
* DATA PROTECTION AND COMPLIANCE
* Email Encryption and Data Loss Prevention
* Cloud-to-Cloud Backup
* Cloud Archiving Service
* Data Inspector
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
APPLICATION PROTECTION
Protect all your web apps and APIs with one comprehensive platform.
* USE CASES
* Web Application Protection
* API Protection
* Full Spectrum DDoS Protection
* Advanced Bot Protection
* Secure App Delivery
* Reporting & Analytics
* Free Website Vulnerability Scan
* DEPLOYMENT OPTIONS
* Web Application Firewall
* WAF-as-a-Service
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Barracuda Network Protection
Protect and optimize your network.
* USE CASES
* Secure Access Service Edge
* Next-Generation Security
* Secure SD-WAN
* Zero Trust Access
* Web Security
* Industrial Security
* PRODUCTS
* SecureEdge
* Build and Price
* CloudGen Firewall
* Build and Price
* CloudGen Access
* Web Security Gateway
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Backup
* Build and Price
Cloud-to-Cloud Backup
* Build and Price
Data Inspector
* Free Scan
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Barracuda Managed XDR
New
Rapidly mature your cybersecurity posture with comprehensive
cybersecurity-as-a-service.
* Get a Consultation
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Ransomware protection
Zero Trust Access
Block Spear Phishing Attacks
Build your Ransomware Protection
Manufacturing
New
Retail
Education
Healthcare
Financial Services
State and Local Government
Build your Ransomware Protection
On-Premises Deployment Options
SaaS Deployments
Microsoft 365
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Build your Ransomware Protection
Barracuda Security Insights
Top 13 Email Threat Types
Advanced Threat Protection
Cyber Liability Insurance
Build your Ransomware Protection
Support Plans and Packages
Energize Updates
Instant Replacement
Hardware Refresh
Barracuda Campus Training
Contact Support Downloads Product Login Customer Support Login
Documentation
Knowledgebase
Glossary
Barracuda Security Policies
Contact Support Downloads Product Login Customer Support Login
Join the Barracuda Community
Contact Support
Downloads
Free Trials
Contact Support Downloads Product Login Customer Support Login
PARTNER PORTAL LOGIN
Program Overview
Resale Partners
MSP Partners
Technology Partners
Partner Portal Login Become a Partner
Program Overview
We are a trusted partner and leading provider of cloud-enabled security
solutions. We listen closely to understand what’s most important to our partners
and customers. Unlike any other security company, we provide solutions and
support that grow and adapt to their journey. Grow your business, boost profits,
and protect customers throughout their journey.
Partner Application Form
Partner Portal Login Become a Partner
By working with a Barracuda partner, you get the knowledge and expertise you
need to find just the right products and solutions to protect and support your
business. As an extension of the Barracuda sales and support organization, our
partners provide you with hands-on guidance, service and support to help meet
your IT-security needs.
Find a partner
Partner Portal Login Become a Partner
About Us
Leadership
Customers
Barracuda Insiders
Careers
Engineering
Contact Us
Contact Us
News Room
Blog
Awards
Events
Webcast: Below the Surface
Contact Us
Trust Center
Privacy Policy
Legal Terms, Conditions and Warranties
Supplier Terms
Contact Us
* FREE TRIAL
*
* Partner Portal Login Product Login
--------------------------------------------------------------------------------
Customer Support Community Partner Support Community
* +1 888 268 4772 Live Chat
* English
German French 日本語
*
* Products
* Solutions
* Support
* Partners
* Company
CYBERSECURITY PLATFORM
EMAIL PROTECTION
APPLICATION PROTECTION
NETWORK PROTECTION
DATA PROTECTION
MANAGED XDR
The Barracuda Cybersecurity Platform Cyberattacks can come from anywhere.
Barracuda protects you everywhere. Stop modern attacks whether they hit your
email, applications, network, or data.
--------------------------------------------------------------------------------
EXPLORE THE PLATFORM
Barracuda Email Protection Complete security that stops all 13 email threat
types and protects Microsoft 365 data. Get started in minutes.
--------------------------------------------------------------------------------
THREAT PREVENTION
* Spam, Malware, and Advanced Threat Protection
* Phishing and Impersonation Protection
* Account Takeover Protection
* Domain Fraud Protection
* Web Security
* Zero Trust Access for Microsoft 365
Email Threat Scan
POST-DELIVERY DETECTION AND RESPONSE
* Incident Response
* Security Awareness Training
DATA PROTECTION AND COMPLIANCE
* Email Encryption and Data Loss Prevention
* Cloud-to-Cloud Backup
* Cloud Archiving Service
* Data Inspector
Application Protection Protect all your web apps and APIs with one comprehensive
platform.
--------------------------------------------------------------------------------
USE CASES
Web Application Protection
API Protection
Full Spectrum DDoS Protection
Advanced Bot Protection
Secure App Delivery
Reporting & Analytics
Free Website Vulnerability Scan
DEPLOYMENT OPTIONS
Web Application Firewall
WAF-as-a-Service
Barracuda Network Protection Protect and optimize your network.
--------------------------------------------------------------------------------
USE CASES
Secure Access Service Edge
Next-Generation Security
Secure SD-WAN
Zero Trust Access
Web Security
Industrial Security
PRODUCTS
SecureEdge
Barracuda’s cloud-first SASE Platform
Build and Price
CloudGen Firewall
Build and Price
CloudGen Access
Web Security Gateway
Backup Protect data to minimize downtime and prevent data loss.
Build and Price
Cloud-to-Cloud Backup Get SaaS backup for your Microsoft 365 data with unlimited
storage.
Build and Price
Data Inspector Scan your Microsoft 365 for sensitive data and malware.
Free Scan
Barracuda Managed XDR New Rapidly mature your cybersecurity posture with
comprehensive cybersecurity-as-a-service.
--------------------------------------------------------------------------------
Get a Consultation
All Products A-Z Azure Solutions AWS Solutions SaaS Solutions On-Premises
Solutions
Build your Ransomware Protection
FEATURED SOLUTIONS
INDUSTRIES
DEPLOYMENTS
TECHNOLOGIES
Ransomware Protection
Protect your business and users from ransomware attacks in three easy steps.
LEARN MORE
Phishing Protection
Our advanced AI blocks the most advanced email impersonation attacks from
reaching your users.
LEARN MORE
Zero Trust Access
Secure access to your applications and data from any device – safer than VPN!
LEARN MORE
Manufacturing New Secure industrial assets and IT control systems from
ransomware and advanced cyberthreats.
Retail Protect your customers and brand from advanced cyber threats.
Education Protect students and faculty from ransomware and other cyber attacks.
Ensure compliance with safe learning regulations.
Healthcare Protect patient data and avoid disruptions that could affect patient
care.
Financial Services Financial services are a prime target for cyber attacks.
Learn how Barracuda can help.
State and Local Government Explore how Barracuda protects state and local
government websites and data.
On-Premises Deployment Options Protect your physical locations with
cloud-connected appliances and software that can be deployed on premises or in
the cloud.
SaaS Deployments Deploy simple and scalable security with no software or
hardware to install.
Microsoft 365 Protect all your email, SharePoint, OneDrive, and Teams data with
protection that goes far beyond what is built into Microsoft 365.
Amazon Web Services (AWS) Browse our security and network solutions designed
specifically for AWS.
Microsoft Azure Get security and networking solutions that are deployed natively
in Microsoft Azure.
Google Cloud Platform (GCP) Check out our security products for Google Cloud
Platform.
Barracuda Security Insights Check out our real-time view of global cyber
threats, collected from millions of data points.
Top 13 Email Threat Types Learn how to protect your organization from all 13
types of email attacks.
Advanced Threat Protection Stop zero-hour and advanced attacks that evade
traditional detection techniques.
Cyber Liability Insurance Protect your business and support your cyber insurance
policy.
All Solutions
Build your Ransomware Protection
SERVICES
Support Plans and Packages
Energize Updates
Instant Replacement
Barracuda Campus Training
TECHNICAL INFORMATION
Documentation
Knowledgebase
Glossary
Barracuda Security Policies
QUICK LINKS
Join the Barracuda Community
Contact Support
Downloads
Free Trials
Contact Support Downloads Product Login Customer Support Login
EXISTING PARTNERS
BECOME A PARTNER
FIND A PARTNER
ENGAGE WITH BARRACUDA
PARTNER PORTAL LOGIN
PARTNER PROGRAMS
Program Overview
Resale Partners
MSP Partners
Technology Partners
BECOME A PARTNER
Program Overview We are a trusted partner and leading provider of cloud-enabled
security solutions. We listen closely to understand what’s most important to our
partners and customers. Unlike any other security company, we provide solutions
and support that grow and adapt to their journey. Grow your business, boost
profits, and protect customers throughout their journey.
--------------------------------------------------------------------------------
Partner Application Form
FIND A PARTNER
By working with a Barracuda partner, you get the knowledge and expertise you
need to find just the right products and solutions to protect and support your
business. As an extension of the Barracuda sales and support organization, our
partners provide you with hands-on guidance, service and support to help meet
your IT-security needs.
--------------------------------------------------------------------------------
Find a Partner
WHO WE ARE
About Us
Leadership
Customers
Barracuda Insiders
Careers
Engineering
Contact Us
NEWS AND EVENTS
News Room
Blog
Awards
Events
Webcast: Below the Surface
LEGAL
Trust Center
Privacy Policy
Legal Terms, Conditions and Warranties
Supplier Terms
1. Company
2. /
3. Legal
4. /
5. Barracuda Email Security Gateway Appliance (ESG) Vulnerability
BARRACUDA EMAIL SECURITY GATEWAY APPLIANCE (ESG) VULNERABILITY
WE ARE COMMITTED TO
SECURING YOUR DATA
BARRACUDA EMAIL SECURITY GATEWAY APPLIANCE (ESG) VULNERABILITY
DECEMBER 24th, 2023:
In our ongoing investigation, Barracuda has determined that a threat actor has
utilized an Arbitrary Code Execution (ACE) vulnerability within a third party
library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email
attachment to target a limited number of ESG devices. Spreadsheet::ParseExcel is
an open source library used by the Amavis virus scanner within the ESG
appliance. Barracuda, working in collaboration with Mandiant, assesses this
activity is attributable to continued operations of the China nexus actor
tracked as UNC4841.
On December 21, 2023, Barracuda deployed a security update to all active ESGs to
address the ACE vulnerability in Spreadsheet::ParseExcel. The security update
has been automatically applied, requiring no action by the customer.
Following UNC4841’s exploitation of the ACE vulnerability (CVE-2023-7102),
Barracuda has observed new variants of SEASPY and SALTWATER malware deployed to
a limited number of ESG devices. On December 22, 2023, Barracuda deployed a
patch to remediate compromised ESG appliances which exhibited indicators of
compromise related to the newly identified malware variants.
No action is required by customers at this time, and our investigation is
ongoing.
Barracuda has filed CVE-2023-7102 in relation to Barracuda’s use of
Spreadsheet::ParseExcel which has been patched. In addition, in order to
increase public awareness of the ACE vulnerability in Spreadsheet::ParseExcel,
Barracuda has filed CVE-2023-7101. At the time of this update, there is no known
patch or update available to remediate CVE-2023-7101 within the open source
library. For organizations utilizing Spreadsheet::ParseExcel in their own
products or services, we recommend reviewing CVE-2023-7101 and promptly taking
necessary remediation measures.
To assist organizations with hunting activity related to this UNC4841 activity.
Indicators of Compromise have been added to the IOC tables below.
Current Indicators of Compromise (IOCs)
Host IOCs
Malware MD5 Hash SHA256 File Name(s) File Type CVE-2023-7102 XLS Document
2b172fe3329260611a9022e71acdebca 803cb5a7de1fe0067a9eeb220dfc24ca
56f3f571a986180e146b6cf387855bdd ads2.xls xls CVE-2023-7102 XLS Document
e7842edc7868c8c5cf0480dd98bcfe76 952c5f45d203d8f1a7532e5b59af8e330
6b5c1c53a30624b6733e0176d8d1acd don.xls xls CVE-2023-7102 XLS Document
e7842edc7868c8c5cf0480dd98bcfe76 952c5f45d203d8f1a7532e5b59af8e330
6b5c1c53a30624b6733e0176d8d1acd personalbudget.xls xls SEASPY
7b83e4bd880bb9d7904e8f553c2736e3 118fad9e1f03b8b1abe00529c61dc3edf
da043b787c9084180d83535b4d177b7 wifi-service x-executable SALTWATER
d493aab1319f10c633f6d223da232a27 34494ecb02a1cccadda1c7693c45666e1
fe3928cc83576f8f07380801b07d8ba mod_tll.so x-sharedlib
Network IOCs
IP Address ASN Location 23.224.99.242 40065 US 23.224.99.243 40065 US
23.224.99.244 40065 US 23.224.99.245 40065 US 23.224.99.246 40065 US
23.225.35.234 40065 US 23.225.35.235 40065 US 23.225.35.236 40065 US
23.225.35.237 40065 US 23.225.35.238 40065 US 107.148.41.146 398823 US
AUGUST 29th, 2023:
Today, Mandiant published an updated blog
post (https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation)
which further analyzed the actions of the Chinese-nexus threat group tracked as
UNC4841. As noted in the blog, Mandiant and Barracuda have not identified any
newly compromised ESG appliances post release of a security patch on May 20,
2023.which remediated the zero day ESG vulnerability (CVE-2023-2868). Mandiant
assesses a limited number of previously impacted victims that have not followed
Barracuda’s guidance to replace their impacted appliances may still face risk
associated with this.
Barracuda continues to recommend that impacted customers replace their
compromised appliance. Only a limited number of ESG appliances worldwide were
compromised and impacted customers have been notified to replace the appliances.
Barracuda is providing the replacement product to impacted customers at no cost.
No other Barracuda product, including Barracuda’s SaaS email solutions, were
impacted by this vulnerability.
JULY 28th, 2023:
While our investigation is still ongoing, Barracuda in conjunction with
Mandiant, analyzed the additional malware code named SUBMARINE by CISA in its
report issued on July 28, 2023
( https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors).
This additional malware was utilized by the threat actor in response to
Barracuda’s remediation actions in an attempt to create persistent access on
customer ESG appliances. This malware appeared on a very small number of already
compromised ESG appliances. Barracuda’s recommendation is unchanged. Customers
should discontinue use of the compromised ESG appliance and contact Barracuda
support (support@barracuda.com) to obtain a new ESG virtual or hardware
appliance.
JUNE 15th, 2023:
Barracuda ESG Appliance Vulnerability Status Update
While our investigation is still ongoing, Barracuda now has a more comprehensive
understanding of the incident, including that exploitation occurred on a subset
of compromised Barracuda Email Security Gateway (ESG) appliances by an
aggressive and highly skilled actor conducting targeted activity which, as
reported by Mandiant, has suspected links to China. Consistent with our previous
updates, we are sharing additional technical details to support our customers
and partners. We are also publishing additional indicators of compromise that
organizations can leverage for their network defenses.
For more technical details on the Barracuda ESG Zero-Day Vulnerability
(CVE-2023-2868), please read Mandiant’s blog at
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally. Along
with this blog post, Mandiant has produced detailed Hardening Recommendations to
assist organizations with this event.
Attribution
Mandiant assessed with high confidence that the threat actor, identified as
UNC4841, who exploited the ESG zero-day vulnerability conducted targeted
information gathering activity from a subset of organizations in support of the
People’s Republic of China.
Our priority throughout this incident has been transparency around what we know
as well as the actions we’ve taken. As discussed in our guidance released on May
31, 2023, and reiterated on June 6, 2023, we recommend immediate replacement of
compromised ESG appliances, regardless of patch level.
JUNE 15th, 2023:
Current Indicators of Compromise (IOCs)
Network IOCs
IP Address ASN Netblock Location 101.229.146.218 4812 China Telecom CN
103.146.179.101 136933 Gigabitbank Global HK 103.27.108.62 132883 Topway Global
Limited HK 103.77.192.13 10222 Multibyte Info Technology Limited HK
103.77.192.88 10222 Multibyte Info Technology Limited HK 103.93.78.142 61414
Edgenap Ltd JP 104.156.229.226 20473 Choopa, LLC US 104.223.20.222 8100 CloudVPS
US 107.148.149.156 399195 Pegtechinc-ap-04 US 107.148.219.227 54600 Peg Tech US
107.148.219.53 54600 Peg Tech US 107.148.219.54 54600 Peg Tech US 107.148.219.55
54600 Peg Tech US 107.148.223.196 54600 Peg Tech US 107.173.62.158 20278 Nexeon
Technologies US 137.175.19.25 54600 Peg Tech US 137.175.28.251 54600 Peg Tech US
137.175.30.36 54600 Peg Tech US 137.175.30.86 54600 Peg Tech US 137.175.51.147
54600 Peg Tech US 137.175.53.17 54600 Peg Tech US 137.175.53.170 54600 Peg Tech
US 137.175.53.218 54600 Peg Tech US 137.175.60.252 54600 Peg Tech US
137.175.60.253 54600 Peg Tech US 137.175.78.66 54600 Peg Tech US 139.84.227.9
20473 Choopa, LLC ZA 155.94.160.72 8100 CloudVPS US 182.239.114.135 9231 China
Mobile Hong Kong HK 182.239.114.254 9231 China Mobile Hong Kong HK
192.74.226.142 54600 Peg Tech CN 192.74.254.229 54600 Peg Tech US 198.2.254.219
54600 Peg Tech US 198.2.254.220 54600 Peg Tech US 198.2.254.221 54600 Peg Tech
US 198.2.254.222 54600 Peg Tech US 198.2.254.223 54600 Peg Tech US 199.247.23.80
20473 Choopa, LLC DE 213.156.153.34 202422 G-Core Labs S.A. US 216.238.112.82
20473 Choopa, LLC BR 23.224.42.29 40065 Cnservers LLC US 23.224.78.130 40065
Cnservers LLC US 23.224.78.131 40065 Cnservers LLC US 23.224.78.132 40065
Cnservers LLC US 23.224.78.133 40065 Cnservers LLC US 23.224.78.134 40065
Cnservers LLC US 37.9.35.217 202422 G-Core Labs S.A. US 38.54.113.205 138915
Kaopu Cloud HK Limited MY 38.54.1.82 138915 Kaopu Cloud HK Limited SG
38.60.254.165 174 Cogent Communications US 45.63.76.67 20473 Choopa, LLC US
52.23.241.105 14618 Amazon.com US 64.176.4.234 20473 Choopa, LLC US 64.176.7.59
20473 Choopa, LLC US 23.224.99.246 33330,133131 US 23.225.35.236 33330,133131
US
Domain bestfindthetruth.com fessionalwork.com gesturefavour.com goldenunder.com
singamofing.com singnode.com togetheroffway.com troublendsef.com
Endpoint IOCs
Filename Hash Type 0d67f50a0bf7a3a017784146ac41ada0 snapshot.tar Payload
Attachment 42722b7d04f58dcb8bd80fe41c7ea09e 11111.tar Payload Attachment
5392fb400bd671d4b185fb35a9b23fd3 imgdata.jpg Payload Attachment
ac4fb6d0bfc871be6f68bfa647fc0125 snapshot.tar Payload Attachment
878cf1de91f3ae543fd290c31adcbda4 snapshot.tar Payload Attachment
b601fce4181b275954e3f35b18996c92 install_reuse.tar SALTWATER install
827d507aa3bde0ef903ca5dec60cdec8 mod_udp.so SALTWATER variant
c56d7b86e59c5c737ee7537d7cf13df1 autoins SALTWATER install
6f79ef58b354fd33824c96625590c244 intent_reuse SALTWATER install
349ca242bc6d2652d84146f5f91c3dbb intentbas SALTWATER install
1fea55b7c9d13d822a64b2370d015da7 mod_udp.so SALTWATER variant
64c690f175a2d2fe38d3d7c0d0ddbb6e mod_udp.so SALTWATER variant
4cd0f3219e98ac2e9021b06af70ed643 mod_udp.so SALTWATER variant
3b93b524db66f8bb3df8279a141734bb mod_rtf.so SALTWATER variant
8fdf3b7dc6d88594b8b5173c1aa2bc82 mod_rft.so SALTWATER Variant
4ec4ceda84c580054f191caa09916c68 mod_rft.so SALTWATER variant
1b1830abaf95bd5a44aa3873df901f28 mod_rft.so SALTWATER variant
4ca4f582418b2cc0626700511a6315c0 BarracudaMailService SEASPY Variant
c528b6398c86f8bdcfa3f9de7837ebfe update_v2.sh SEASPY Install
2d841cb153bebcfdee5c54472b017af2 rc SEASPY launcher
c979e8651c1f40d685be2f66e8c2c610 rc SEASPY launcher
1c042d39ca093b0e7f1412453b132076 rc SEASPY launcher
ba7af4f98d85e5847c08cf6cefdf35dc rc SEASPY launcher
82eaf69de710abdc5dea7cd5cb56cf04 BarracudaMailService SEASPY Variant
e80a85250263d58cc1a1dc39d6cf3942 BarracudaMailService SEASPY Variant
5d6cba7909980a7b424b133fbac634ac BarracudaMailService SEASPY Variant
1bbb32610599d70397adfdaf56109ff3 BarracudaMailService SEASPY Variant
4b511567cfa8dbaa32e11baf3268f074 BarracudaMailService SEASPY Variant
a08a99e5224e1baf569fda816c991045 BarracudaMailService SEASPY Variant
19ebfe05040a8508467f9415c8378f32 BarracudaMailService SEASPY Variant
831d41ba2a0036540536c2f884d089f9 sendscd SEASPY Variant
db4c48921537d67635bb210a9cb5bb52 BarracudaMailService SEASPY Variant
694cdb49879f1321abb4605adf634935 install_bvp74_auth.tar SEASPY install
5fdee67c82f5480edfa54afc5a9dc834 install_bvp74_auth.tar SEASPY install
8fc03800c1179a18fbd58d746596fa7d update_version SEASPY launcher
17696a438387248a12cc911fbae8620e resize_risertab SEASPY launcher
4c1c2db989e0e881232c7748593d291e update_version SEASPY launcher
3e3f72f99062255d6320d5e686f0e212 update_version SEASPY launcher
7d7fd05b262342a9e8237ce14ec41c3b update_version SEASPY launcher
2e30520f8536a27dd59eabbcb8e3532a update_version SEASPY launcher
0245e7f9105253ecb30de301842e28e4 update_version SEASPY launcher
0c227990210e7e9d704c165abd76ebe2 update_version SEASPY launcher
c7a89a215e74104682880def469d4758 update_version SEASPY launcher
1bc5212a856f028747c062b66c3a722a update_version SEASPY launcher
a45ca19435c2976a29300128dc410fd4 update_version SEASPY launcher
132a342273cd469a34938044e8f62482 update_version SEASPY launcher
23f4f604f1a05c4abf2ac02f976b746b resize2fstab SEASPY Variant
45b79949276c9cb9cf5dc72597dc1006 resize_reisertab SEASPY Variant
bef722484288e24258dd33922b1a7148 resize2fstab SEASPY Variant
0805b523120cc2da3f71e5606255d29c resize_reisertab SEASPY Variant
69ef9a9e8d0506d957248e983d22b0d5 resize2fstab SEASPY Variant
3c20617f089fe5cc9ba12c43c6c072f5 resize2fstab SEASPY Variant
76811232ede58de2faf6aca8395f8427 resize2fstab SEASPY Variant
f6857841a255b3b4e4eded7a66438696 resize_reisertab SEASPY Variant
2ccb9759800154de817bf779a52d48f8 install_helo.tar SEASIDE Install
cd2813f0260d63ad5adf0446253c2172 mod_require_helo.lua SEASIDE variant
177add288b289d43236d2dba33e65956 rverify WHIRLPOOL VARIANT
87847445f9524671022d70f2a812728f mod_content.lua SKIPJACK
35cf6faf442d325961935f660e2ab5a0 mod_attachment.lua SEASPRAY
ce67bb99bc1e26f6cb1f968bc1b1ec21 install_att_v2.tar SEASPRAY install
e4e86c273a2b67a605f5d4686783e0cc mknod SKIPJACK Persistence
ad1dc51a66201689d442499f70b78dea get_fs_info.pl SKIPJACK Persistence
9033dc5bac76542b9b752064a56c6ee4 nfsd_stub.ko SANDBAR
e52871d82de01b7e7f134c776703f696 rverify WHIRLPOOL Variant
446f3d71591afa37bbd604e2e400ae8b mknod SEASPRAY Persistence
666da297066a2596cacb13b3da9572bf mod_sender.lua SEASPRAY
436587bad5e061a7e594f9971d89c468 saslautchd WHIRLPOOL Variant
85c5b6c408e4bdb87da6764a75008adf rverify WHIRLPOOL Variant
407738e565b4e9dafb07b782ebcf46b0 test1.sh Reverse shell cronjob
cb0f7f216e8965f40a724bc15db7510b update_v35.sh Bash Script N/A - multiple
version identified 1.sh Bash Script 19e373b13297de1783cecf856dc48eb0 cl proxy
client N/A aacore.sh reverse shell cronjob N/A appcheck.sh reverse shell cronjob
881b7846f8384c12c7481b23011d8e45 update_v31.sh Bash Script
f5ab04a920302931a8bd063f27b745cc intent_helo Bash Script N/A p Named pipe used
in reverse shell N/A p7 Named pipe used in reverse shell N/A t Named pipe used
in reverse shell N/A core.sh Reverse shell cronjob N/A p1 Named pipe used in
reverse shell 177add288b289d43236d2dba33e65956 pd WHIRLPOOL Variant N/A b Named
pipe used in reverse shell d098fe9674b6b4cb540699c5eb452cb5 test.sh Reverse
shell cronjob N/A ss Named pipe used in reverse shell
Detection Rules
Yara
rule M_Hunting_Exploit_Archive_2
{
meta:
author = "Mandiant"
description = "Hunting rule looking for TAR archives with /tmp/ base64
encoded being part of filename of enclosed files"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
author = "Mandiant"
description = "Hunting rule looking for TAR archive with openssl base64
encoded being part of filename of enclosed files"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
author = "Mandiant"
description = "Hunting rule looking for TAR archive with single
quote/backtick as start of filename of enclosed files. CVE-2023-2868"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}
rule M_Hunting_Linux_SALTWATER_1
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SALTWATER
samples."
md5 = "827d507aa3bde0ef903ca5dec60cdec8"
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s3 = { 71 75 69 74 0D 0A 00 00 00 12 8D 03 07 9C 17 92 08 F0 0C 9A 01
06 08 00 1A 0C 0B 8D 18 0A 0D 0A }
condition:
uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SALTWATER
samples."
md5 = "827d507aa3bde0ef903ca5dec60cdec8"
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
uint32(0) == 0x464c457f and (any of ($s*) or 4 of ($c*))
}
rule FE_Hunting_Linux_Funchook_FEBeta
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in Funchook
library - https://github.com/kubo/funchook"
md5 = "827d507aa3bde0ef903ca5dec60cdec8"
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SEASPY_1
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SEASPY
samples."
md5 = "4ca4f582418b2cc0626700511a6315c0"
strings:
$s1 = "usage: ./BarracudaMailService <Network-Interface>. e.g.:
./BarracudaMailService eth0"
$s2 = "NO port code"
$s3 = "pcap_lookupnet: %s"
$s4 = "Child process id:%d"
$s5 = "[*]Success!"
$s6 = "enter open tty shell..."
condition:
uint32(0) == 0x464c457f and all of ($s*)
}
//
// SEASIDE
//
rule M_Hunting_Lua_SEASIDE_1
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SEASIDE
samples."
md5 = "cd2813f0260d63ad5adf0446253c2172"
strings:
$s1 = "function on_helo()"
$s2 = "local bindex,eindex = string.find(helo,'.onion')"
$s3 = "helosend = 'pd'..' '..helosend"
$s4 = "os.execute(helosend)"
condition:
(filesize < 1MB) and all of ($s*)
}
rule M_Hunting_SKIPJACK_1
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SKIPJACK
installation script."
md5 = "e4e86c273a2b67a605f5d4686783e0cc"
strings:
$str1 = "hdr:name() == 'Content-ID'" base64
$str2 = "hdr:body() ~= nil" base64
$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")" base64
$str4 = "openssl aes-256-cbc" base64
$str5 = "mod_content.lua"
$str6 = "#!/bin/sh"
condition:
all of them
}
rule M_Hunting_Lua_SKIPJACK_2
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SKIPJACK
samples."
md5 = "87847445f9524671022d70f2a812728f"
strings:
$str1 = "hdr:name() == 'Content-ID'"
$str2 = "hdr:body() ~= nil"
$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")"
$str4 = "openssl aes-256-cbc"
$str5 = "| base64 -d| sh 2>"
condition:
all of them
}
rule M_Hunting_Lua_SEASPRAY_1
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in SEASPRAY
samples."
md5 = "35cf6faf442d325961935f660e2ab5a0"
strings:
$str1 = "string.find(attachment:filename(),'obt075') ~= nil"
$str2 = "os.execute('cp '..tostring(tmpfile)..'
/tmp/'..attachment:filename())"
$str3 = "os.execute('rverify'..' /tmp/'..attachment:filename())"
condition:
all of them
}
rule M_Hunting_Linux_WHIRLPOOL_1
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings observed in WHIRLPOOL
samples."
md5 = "177add288b289d43236d2dba33e65956"
strings:
$s1 = "error -1 exit" fullword
$s2 = "create socket error: %s(error: %d)\n" fullword
$s3 = "connect error: %s(error: %d)\n" fullword
$s4 = {C7 00 20 32 3E 26 66 C7 40 04 31 00}
$c1 = "plain_connect" fullword
$c2 = "ssl_connect" fullword
$c3 = "SSLShell.c" fullword
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (all of ($s*) or all of
($c*))
}
Snort/Suricata
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_oXmp"; flags:S;
dsize:>9; content:"oXmp"; offset:0; depth:4; threshold:type limit,track
by_src,count 1,seconds 3600; sid:1000000; rev:1;)
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_TfuZ"; flags:S;
dsize:>9; content:"TfuZ"; offset:0; depth:4; threshold:type limit,track
by_src,count 1,seconds 3600; sid:1000001; rev:1;)
Suricata >= 5.0.4
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S;
tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track
by_src,count 1,seconds 3600; sid:1000002; rev:1;)
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S;
tcp.hdr; content:"|e6 30|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count
1,seconds 3600; sid:1000003; rev:1;)
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S;
tcp.hdr; content:"|e6 32|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative;
threshold:type limit,track by_src,count 1,seconds 3600; sid:1000004; rev:1;)
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_60826"; flags:S;
tcp.hdr; content:"|ed 9a|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count
1,seconds 3600; sid:1000005; rev:1;)
alert tcp any any -> <ESG_IP> [25,587] (msg:"M_Backdoor_SEASPY_60828"; flags:S;
tcp.hdr; content:"|ed 9c|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative;
threshold:type limit,track by_src,count 1,seconds 3600; sid:1000006; rev:1;)
JUNE 6th, 2023 (Updated on JUNE 15th, 2023):
Action Notice: Compromised ESG appliances must be immediately replaced
regardless of patch version level. Only a subset of ESG appliances have shown
any known indicators of compromise, and are identified by a message in the
appliance User Interface.
If you have not replaced your appliance after receiving notice of compromise in
your UI, contact Barracuda support (support@barracuda.com).
Barracuda’s ESG appliance remediation recommendation for compromised appliances
continues to be replacement of the compromised ESG.
JUNE 1ST, 2023:
PRELIMINARY SUMMARY OF KEY FINDINGS
DOCUMENT HISTORY
Version/Date Notes 1.0: May 30, 2023 Initial Document 1.1 : June 1, 2023
Additional IOCs and rules included
Barracuda Networks’ priorities throughout this incident have been transparency
and to use this as an opportunity to strengthen our policies, practices, and
technology to further protect against future attacks. Although our investigation
is ongoing, the purpose of this document is to share preliminary findings,
provide the known Indicators of Compromise (IOCs), and share YARA rules to aid
our customers in their investigations, including with respect to their own
environments.
Timeline
* On May 18, 2023, Barracuda was alerted to anomalous traffic originating from
Barracuda Email Security Gateway (ESG) appliances.
* On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security
experts, to assist in the investigation.
* On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our
Email Security Gateway appliance (ESG).
* On May 20, 2023, a security patch to remediate the vulnerability was applied
to all ESG appliances worldwide.
* On May 21, 2023, a script was deployed to all impacted appliances to contain
the incident and counter unauthorized access methods.
* A series of security patches are being deployed to all appliances in
furtherance of our containment strategy.
Key Findings
While the investigation is still on-going, Barracuda has concluded the
following:
* The vulnerability existed in a module which initially screens the attachments
of incoming emails. No other Barracuda products, including our SaaS email
security services, were subject to the vulnerability identified.
* Earliest identified evidence of exploitation of CVE-2023-2868 is currently
October 2022.
* Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized
access to a subset of ESG appliances.
* Malware was identified on a subset of appliances allowing for persistent
backdoor access.
* Evidence of data exfiltration was identified on a subset of impacted
appliances..
Users whose appliances we believe were impacted have been notified via the ESG
user interface of actions to take. Barracuda has also reached out to these
specific customers. Additional customers may be identified in the course of the
investigation.
CVE-2023-2868
On May 19, 2023, Barracuda Networks identified a remote command injection
vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway
(appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability
stemmed from incomplete input validation of user supplied .tar files as it
pertains to the names of the files contained within the archive. Consequently, a
remote attacker could format file names in a particular manner that would result
in remotely executing a system command through Perl's qx operator with the
privileges of the Email Security Gateway product.
Barracuda's investigation to date has determined that a third party utilized the
technique described above to gain unauthorized access to a subset of ESG
appliances.
Malware
This section details the malware that has been identified to date, and to assist
in tracking, codenames for the malware have been assigned.
SALTWATER
SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that
contains backdoor functionality. The capabilities of SALTWATER include the
ability to upload or download arbitrary files, execute commands, as well as
proxy and tunneling capabilities.
Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a
subset of ESG appliances.
The backdoor is implemented using hooks on the send, recv, close syscalls and
amounts to five components, most of which are referred to as “Channels” within
the binary. In addition to providing proxying capabilities, these components
exhibit backdoor functionality. The five (5) channels can be seen in the list
below.
* DownloadChannel
* UploadChannel
* ProxyChannel
* ShellChannel
* TunnelArgs
Mandiant is still analyzing SALTWATER to determine if it overlaps with any other
known malware families.
Table 1 below provides the file metadata related to a SALTWATER variant.
Name SHA256 mod_udp.so
1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4
MD5 File Type Size (Bytes) 827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643
Table 1: SALTWATER variant metadata
SEASPY
SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda
Networks service and establishes itself as a PCAP filter, specifically
monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains backdoor
functionality that is activated by a "magic packet".
Identified at path: /sbin/ on a subset of ESG appliances.
Mandiant analysis has identified code overlap between SEASPY and cd00r, a
publicly available backdoor.
Table 2 below provides the file metadata related to a SEASPY variant.
Name SHA256 BarracudaMailService
3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
MD5 File Type Size (Bytes) 4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217
Table 2: SEASPY variant metadata
SEASIDE
SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that
monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP
address and port which it passes as arguments to an external binary that
establishes a reverse shell.
Table 3 below provides the file metadata related to a SEASIDE.
Name SHA256 mod_require_helo.lua
fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8
MD5 File Type Size (Bytes) cd2813f0260d63ad5adf0446253c2172 Lua module 2,724
Table 3: SEASIDE metadata
Recommendations For Impacted Customers
1. Ensure your ESG appliance is receiving and applying updates, definitions,
and security patches from Barracuda. Contact Barracuda support
(support@barracuda.com) to validate if the appliance is up to date.
2. Discontinue the use of the compromised ESG appliance and contact Barracuda
support (support@barracuda.com) to obtain a new ESG virtual or hardware
appliance.
3. Rotate any applicable credentials connected to the ESG appliance:
o Any connected LDAP/AD
o Barracuda Cloud Control
o FTP Server
o SMB
o Any private TLS certificates
4. Review your network logs for any of the IOCs listed below and any unknown
IPs. Contact compliance@barracuda.com if any are identified.
To support customers in the investigations of their environments, we are
providing a list of all endpoint and network indicators observed over the course
of the investigation to date. We have also developed a series of YARA rules that
can be found in the section below.
Endpoint IOCs
Table 4 lists the endpoint IOCs, including malware and utilities, attributed to
attacker activity during the investigation.
File Name MD5 Hash Type 1 appcheck.sh N/A Bash script 2 aacore.sh N/A
Bash script 3 1.sh N/A Bash script 4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant 5 intent N/A N/A 6 install_helo.tar
2ccb9759800154de817bf779a52d48f8 TAR Package 7 intent_helo
f5ab04a920302931a8bd063f27b745cc Bash script 8 pd
177add288b289d43236d2dba33e65956 Reverse Shell 9 update_v31.sh
881b7846f8384c12c7481b23011d8e45 Bash script 10 mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172 SEASIDE 11 BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04 SEASPY 12 BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942 SEASPY 13 BarracudaMailService
5d6cba7909980a7b424b133fbac634ac SEASPY 14 BarracudaMailService
1bbb32610599d70397adfdaf56109ff3 SEASPY 15 BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074 SEASPY 16 BarracudaMailService
a08a99e5224e1baf569fda816c991045 SEASPY 17 BarracudaMailService
19ebfe05040a8508467f9415c8378f32 SEASPY 18 mod_udp.so
1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant 19 mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant 20 mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant
Table 4: Endpoint IOCs
Network IOCs
Table 5 lists the network IOCs, including IP addresses and domain names,
attributed to attacker activity during the investigation.
Indicator ASN Location 1 xxl17z.dnslog.cn N/A N/A 2
mx01.bestfindthetruth.com N/A N/A 3 64.176.7.59 AS-CHOOPA US 4 64.176.4.234
AS-CHOOPA US 5 52.23.241.105 AMAZON-AES US 6 23.224.42.5 CloudRadium L.L.C US 7
192.74.254.229 PEG TECH INC US 8 192.74.226.142 PEG TECH INC US 9 155.94.160.72
QuadraNet Enterprises LLC US 10 139.84.227.9 AS-CHOOPA US 11 137.175.60.253 PEG
TECH INC US 12 137.175.53.170 PEG TECH INC US 13 137.175.51.147 PEG TECH INC US
14 137.175.30.36 PEG TECH INC US 15 137.175.28.251 PEG TECH INC US 16
137.175.19.25 PEG TECH INC US 17 107.148.219.227 PEG TECH INC US 18
107.148.219.55 PEG TECH INC US 19 107.148.219.54 PEG TECH INC US 20
107.148.219.53 PEG TECH INC US 21 107.148.219.227 PEG TECH INC US 22
107.148.149.156 PEG TECH INC US 23 104.223.20.222 QuadraNet Enterprises LLC US
24 103.93.78.142 EDGENAP LTD JP 25 103.27.108.62 TOPWAY GLOBAL LIMITED HK 26
137.175.30.86 PEGTECHINC US 27 199.247.23.80 AS-CHOOPA DE 28 38.54.1.82 KAOPU
CLOUD HK LIMITED SG 29 107.148.223.196 PEGTECHINC US 30 23.224.42.29 CNSERVERS
US 31 137.175.53.17 PEGTECHINC US 32 103.146.179.101 GIGABITBANK GLOBAL HK
Table 5: Network IOCs
YARA Rules
CVE-2023-2868
The following three (3) YARA rules can be used to hunt for the malicious TAR
file which exploits CVE-2023-2868:
rule M_Hunting_Exploit_Archive_2
{
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being
part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
description = "Looks for TAR archive with openssl base64 encoded being
part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
description = "Looks for TAR archive with single quote/backtick as
start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}
SALTWATER
The following three (3) YARA rule can be used to hunt for SALTWATER:
rule M_Hunting_Linux_Funchook
{
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SALTWATER_1
{
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of
($c*))
}
The following SNORT rule can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9;
content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count
1,seconds 3600; sid:1000000; rev:1;)
The following SNORT rules require Suricata 5.0.4 or newer and can be used to
hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S;
tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track
by_src,count 1,seconds 3600; sid:1000001; rev:1;)
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S;
tcp.hdr; content:"|e6 30|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count
1,seconds 3600; sid:1000002; rev:1;)
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S;
tcp.hdr; content:"|e6 32|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative;
threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)
MAY 30TH, 2023:
PRELIMINARY SUMMARY OF KEY FINDINGS
Barracuda Networks priorities throughout this incident have been transparency
and to use this as an opportunity to strengthen our policies, practices, and
technology to further protect against future attacks. Although our investigation
is ongoing, the purpose of this document is to share preliminary findings,
provide the known Indicators of Compromise (IOCs), and share YARA rules to aid
our customers in their investigations, including with respect to their own
environments.
Timeline
* On May 18, 2023, Barracuda was alerted to anomalous traffic originating from
Barracuda Email Security Gateway (ESG) appliances.
* On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security
experts, to assist in the investigation.
* On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our
Email Security Gateway appliance (ESG).
* On May 20, 2023, a security patch to remediate the vulnerability was applied
to all ESG appliances worldwide.
* On May 21, 2023, a script was deployed to all impacted appliances to contain
the incident and counter unauthorized access methods.
* A series of security patches are being deployed to all appliances in
furtherance of our containment strategy.
Key Findings
While the investigation is still on-going, Barracuda has concluded the
following:
* The vulnerability existed in a module which initially screens the attachments
of incoming emails. No other Barracuda products, including our SaaS email
security services, were subject to the vulnerability identified.
* Earliest identified evidence of exploitation of CVE-2023-2868 is currently
October 2022.
* Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized
access to a subset of ESG appliances.
* Malware was identified on a subset of appliances allowing for persistent
backdoor access.
* Evidence of data exfiltration was identified on a subset of impacted
appliances.
Users whose appliances we believe were impacted have been notified via the ESG
user interface of actions to take. Barracuda has also reached out to these
specific customers. Additional customers may be identified in the course of the
investigation.
CVE-2023-2868
On May 19, 2023, Barracuda Networks identified a remote command injection
vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway
(appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability
stemmed from incomplete input validation of user supplied .tar files as it
pertains to the names of the files contained within the archive. Consequently, a
remote attacker could format file names in a particular manner that would result
in remotely executing a system command through Perl's qx operator with the
privileges of the Email Security Gateway product.
Barracuda's investigation to date has determined that a third party utilized the
technique described above to gain unauthorized access to a subset of ESG
appliances.
Malware
This section details the malware that has been identified to date.
SALTWATER
SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that
contains backdoor functionality. The capabilities of SALTWATER include the
ability to upload or download arbitrary files, execute commands, as well as
proxy and tunneling capabilities.
Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a
subset of ESG appliances.
The backdoor is implemented using hooks on the send, recv, close syscalls and
amounts to five components, most of which are referred to as “Channels” within
the binary. In addition to providing backdoor and proxying capabilities, these
components exhibit classic backdoor functionality. The five (5) channels can be
seen in the list below.
* DownloadChannel
* UploadChannel
* ProxyChannel
* ShellChannel
* TunnelArgs
Mandiant is still analyzing SALTWATER to determine if it overlaps with any other
known malware families. Table 1 below provides the file metadata related to a
SALTWATER variant.
Table 1 below provides the file metadata related to a SALTWATER variant.
Name SHA256 mod_udp.so
1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4
MD5 File Type Size (Bytes) 827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643
Table 1: SALTWATER variant metadata
SEASPY
SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda
Networks service and establishes itself as a PCAP filter, specifically
monitoring traffic on port 25 (SMTP). SEASPY also contains backdoor
functionality that is activated by a "magic packet".
Identified at path: /sbin/ on a subset of ESG appliances.
Mandiant analysis has identified code overlap between SEASPY and cd00r, a
publicly available backdoor.
Table 2 below provides the file metadata related to a SEASPY variant.
Name SHA256 BarracudaMailService
3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
MD5 File Type Size (Bytes) 4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217
Table 2: SEASPY variant metadata
SEASIDE
SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that
monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP
address and port which it passes as arguments to an external binary that
establishes a reverse shell.
Table 3 below provides the file metadata related to a SEASIDE.
Name SHA256 mod_require_helo.lua
fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8
MD5 File Type Size (Bytes) cd2813f0260d63ad5adf0446253c2172 Lua module 2,724
Table 3: SEASIDE metadata
Recommendations For Impacted Customers
1. Ensure your ESG appliance is receiving and applying updates, definitions,
and security patches from Barracuda. Contact Barracuda support
(support@barracuda.com) to validate if the appliance is up to date.
2. Discontinue the use of the compromised ESG appliance and contact Barracuda
support (support@barracuda.com) to obtain a new ESG virtual or hardware
appliance.
3. Rotate any applicable credentials connected to the ESG appliance:
o Any connected LDAP/AD
o Barracuda Cloud Control
o FTP Server
o SMB
o Any private TLS certificates
4. Review your network logs for any of the IOCs listed below and any unknown
IPs. Contact compliance@barracuda.com if any are identified.
To support customers in the investigations of their environments, we are
providing a list of all endpoint and network indicators observed over the course
of the investigation to date. We have also developed a series of YARA rules that
can be found in the section below.
Endpoint IOCs
Table 4 lists the endpoint IOCs, including malware and utilities, attributed to
attacker activity during the investigation.
File Name MD5 Hash Type 1 appcheck.sh N/A Bash script 2 aacore.sh N/A
Bash script 3 1.sh N/A Bash script 4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant 5 intent N/A N/A 6 install_helo.tar
2ccb9759800154de817bf779a52d48f8 TAR Package 7 intent_helo
f5ab04a920302931a8bd063f27b745cc Bash script 8 pd
177add288b289d43236d2dba33e65956 Reverse Shell 9 update_v31.sh
881b7846f8384c12c7481b23011d8e45 Bash script 10 mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172 SEASIDE 11 BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04 SEASPY 12 BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942 SEASPY 13 BarracudaMailService
5d6cba7909980a7b424b133fbac634ac SEASPY 14 BarracudaMailService
1bbb32610599d70397adfdaf56109ff3 SEASPY 15 BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074 SEASPY 16 BarracudaMailService
a08a99e5224e1baf569fda816c991045 SEASPY 17 BarracudaMailService
19ebfe05040a8508467f9415c8378f32 SEASPY 18 mod_udp.so
1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant 19 mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant 20 mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant
Table 4: Endpoint IOCs
Network IOCs
Table 5 lists the network IOCs, including IP addresses and domain names,
attributed to attacker activity during the investigation.
Indicator ASN Location 1 xxl17z.dnslog.cn N/A N/A 2
mx01.bestfindthetruth.com N/A N/A 3 64.176.7.59 AS-CHOOPA US 4 64.176.4.234
AS-CHOOPA US 5 52.23.241.105 AMAZON-AES US 6 23.224.42.5 CloudRadium L.L.C US 7
192.74.254.229 PEG TECH INC US 8 192.74.226.142 PEG TECH INC US 9 155.94.160.72
QuadraNet Enterprises LLC US 10 139.84.227.9 AS-CHOOPA US 11 137.175.60.253 PEG
TECH INC US 12 137.175.53.170 PEG TECH INC US 13 137.175.51.147 PEG TECH INC US
14 137.175.30.36 PEG TECH INC US 15 137.175.28.251 PEG TECH INC US 16
137.175.19.25 PEG TECH INC US 17 107.148.219.227 PEG TECH INC US 18
107.148.219.55 PEG TECH INC US 19 107.148.219.54 PEG TECH INC US 20
107.148.219.53 PEG TECH INC US 21 107.148.219.227 PEG TECH INC US 22
107.148.149.156 PEG TECH INC US 23 104.223.20.222 QuadraNet Enterprises LLC US
24 103.93.78.142 EDGENAP LTD JP 25 103.27.108.62 TOPWAY GLOBAL LIMITED HK
Table 5: Network IOCs
YARA Rules
CVE-2023-2868
The following three (3) YARA rules can be used to hunt for the malicious TAR
file which exploits CVE-2023-2868:
rule M_Hunting_Exploit_Archive_2
{
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being
part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
description = "Looks for TAR archive with openssl base64 encoded being
part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
description = "Looks for TAR archive with single quote/backtick as
start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}
SALTWATER
The following three (3) YARA rule can be used to hunt for SALTWATER:
rule M_Hunting_Linux_Funchook
{
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SALTWATER_1
{
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of
($c*))
}
MAY 23RD, 2023:
Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security
Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the
vulnerability was applied to all ESG appliances worldwide on Saturday, May 20,
2023. The vulnerability existed in a module which initially screens the
attachments of incoming emails. No other Barracuda products, including our SaaS
email security services, were subject to this vulnerability.
We took immediate steps to investigate this vulnerability. Based on our
investigation to date, we’ve identified that the vulnerability resulted in
unauthorized access to a subset of email gateway appliances. As part of our
containment strategy, all ESG appliances have received a second patch on May 21,
2023. Users whose appliances we believe were impacted have been notified via the
ESG user interface of actions to take. Barracuda has also reached out to these
specific customers.
We will continue actively monitoring this situation, and we will be transparent
in sharing details on what actions we are taking. Information gathering is
ongoing as part of the investigation. We want to ensure we only share validated
information with actionable steps for you to take. As we have information to
share, we will provide updates via this product status page
(https://status.barracuda.com) and direct outreach to impacted customers.
Updates are also located on Barracuda’s Trust Center
(https://www.barracuda.com/company/legal).
Barracuda’s investigation was limited to the ESG product, and not the customer’s
specific environment. Therefore, impacted customers should review their
environments and determine any additional actions they want to take.
Your trust is important to us. We thank you for your understanding and support
as we work through this issue and sincerely apologize for any inconvenience it
may cause. If you have any questions, please reach out to support@barracuda.com.
Privacy Policy | Website Terms & Conditions
© 2003 - 2024 Barracuda Networks, Inc.
All rights reserved.
*
*
*
*
*
*
Privacy Policy | Website Terms & Conditions
© 2003 - 2023 Barracuda Networks, Inc. All rights reserved.
* Legal Terms, Conditions and Warranties
* Cookie Preferences
SITE MAP
* Products
* Solutions
* Purchase
* Support
* Partners
* Company
* Glossary
* Site Map
OUR WEBSITES
* Threat Intelligence
* MSP Solutions
CONTACT US
* Phone: +1 888 268 4772
* Contact Sales
* Contact Support
* Contact Legal
* View More
CONNECT
* Facebook
* Twitter
* YouTube
* LinkedIn
* Instagram
* Corporate Blog
X
$H2
$hl
X
HOW BARRACUDA USES COOKIES
YOUR PRIVACY
YOUR PRIVACY
Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.
* STRICTLY NECESSARY COOKIES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser
to block or alert you about these cookies, but some parts of the site will
not then work.
* ANALYTICS COOKIES
ANALYTICS COOKIES
Analytics Cookies
These cookies help Barracuda to understand how visitors to our pages engage
within their session. Analytics Cookies assist in generating reporting site
usage statistics which do not personally identify individual users.
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. If you
do not allow these cookies we will not know when you have visited our site,
and will not be able to monitor its performance.
* TARGETING COOKIES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not directly identify you, but
are based on uniquely identifying your browser and internet device. If you do
not allow these cookies, you will experience less targeted advertising.
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
* REPLACE-WITH-DYANMIC-VENDOR-ID
33ACROSS
3 Purposes
View Privacy Notice
33ACROSS
3 Purposes
View Privacy Notice
REPLACE-WITH-DYANMIC-VENDOR-ID
Consent Purposes
Location Based Ads
Consent Allowed
Legitimate Interest Purposes
Personalize
Require Opt-Out
Special Purposes
Location Based Ads
Features
Location Based Ads
Special Features
Location Based Ads
Clear Filters
Information storage and access
Apply
Confirm My Choices
COOKIE ACCEPTANCE
We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.
Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy
Accept All Cookies
Cookie Preferences