www.barracuda.com Open in urlscan Pro
20.26.48.74  Public Scan

URL: https://www.barracuda.com/company/legal/esg-vulnerability
Submission: On June 12 via api from IN — Scanned from GB

Form analysis 2 forms found in the DOM

GET

<form class="cmp-header__mobile__search-form" accept-charset="utf-8" method="GET">
  <input class="cmp-header__mobile__search-form__input addsearch addsearch-written" type="text" data-analytics-id="search" autocomplete="off" size="20" name="addsearch" title="search" data-addsearch-field="true" id="mobile-search-input"
    aria-label="Search field" style="cursor: auto;">
</form>

GET

<form accept-charset="utf-8" class="cmp-header__top-menu__search-form" data-cmp-hook-header="desktopSearchForm" method="GET">
  <input type="text" data-analytics-id="search" autocomplete="off" size="20" data-cmp-hook-header="desktopSearchInput" class="cmp-header__top-menu__search-form__input addsearch addsearch-written" name="addsearch" title="search"
    data-addsearch-field="true" id="desktop-search-input" aria-label="Search field" style="cursor: auto;">
</form>

Text Content

Introducing Barracuda SecureEdge, enterprise-grade SASE for your business

MENU


HOME X
PRODUCTS SOLUTIONS SUPPORT PARTNERS COMPANY
13 Threat Types e-book Build your Ransomware Protection
Languages
EMAIL PROTECTION APPLICATION PROTECTION NETWORK SECURITY DATA PROTECTION MANAGED
XDR
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
DEPLOYMENTS INDUSTRIES TECHNOLOGIES
13 Threat Types eBook Build your Ransomware Protection
SERVICES TECHNICAL INFORMATION QUICK LINKS
Contact Support Downloads Product Login Customer Support Login
Channel Partners
MSP Partners
Technology Partners
Find a Partner
Partner Portal Login Become a Partner
WHO WE ARE NEWS AND EVENTS LEGAL
Contact Us
English
Deutsch
Français
日本語
Email Protection
Complete security that stops all 13 email threat types and protects Microsoft
365 data. Get started in minutes.
   
 * THREAT PREVENTION
   
 * Spam, Malware, and Advanced Threat Protection
   
 * Phishing and Impersonation Protection
   
 * Account Takeover Protection
   
 * Domain Fraud Protection
   
 * Web Security
   
 * Zero Trust Access for Microsoft 365
   
 * Free Email Threat Scan
   
 * POST-DELIVERY DETECTION AND RESPONSE
   
 * Incident Response
   
 * Security Awareness Training
   
 * DATA PROTECTION AND COMPLIANCE
   
 * Email Encryption and Data Loss Prevention
   
 * Cloud-to-Cloud Backup
   
 * Cloud Archiving Service
   
 * Data Inspector

AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
APPLICATION PROTECTION
Protect all your web apps and APIs with one comprehensive platform.
   
 * USE CASES
   
 * Web Application Protection
   
 * API Protection
   
 * Full Spectrum DDoS Protection
   
 * Advanced Bot Protection
   
 * Secure App Delivery
   
 * Reporting & Analytics
   
 * Free Website Vulnerability Scan
   
 * DEPLOYMENT OPTIONS
   
 * Web Application Firewall
   
 * WAF-as-a-Service

AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Barracuda Network Protection
Protect and optimize your network.
   
 * USE CASES
   
 * Secure Access Service Edge
   
 * Next-Generation Security
   
 * Secure SD-WAN
   
 * Zero Trust Access
   
 * Web Security
   
 * Industrial Security
   
 * PRODUCTS
   
 * SecureEdge
   New
   
 * CloudGen Firewall
   
 * CloudGen Access
   
 * Web Security Gateway
   
 * Build and Price

AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Backup
   
 * Build and Price

Cloud-to-Cloud Backup
   
 * Build and Price

Data Inspector
   
 * Free Scan

AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
Barracuda Managed XDR
New
Rapidly mature your cybersecurity posture with comprehensive
cybersecurity-as-a-service.
AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products
A-Z
On-Premises Deployment Options
SaaS Deployments
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
13 Threat Types eBook Build your Ransomware Protection
Healthcare
Retail
Financial Services
Education
State and Local Government
13 Threat Types eBook Build your Ransomware Protection
Barracuda Security Insights
Top 13 Email Threat Types
Advanced Threat Protection
Ransomware
Microsoft 365
Cyber Liability Insurance
13 Threat Types eBook Build your Ransomware Protection
Support Plans and Packages
Energize Updates
Instant Replacement
Hardware Refresh
Barracuda Campus Training
Contact Support Downloads Product Login Customer Support Login
Documentation
Knowledgebase
Glossary
Barracuda Security Policies
Contact Support Downloads Product Login Customer Support Login
Join the Barracuda Community
Contact Support
Downloads
Free Trials
Contact Support Downloads Product Login Customer Support Login
Partner Portal Login Become a Partner
About Us
Leadership
Customers
Barracuda Insiders
Careers
Engineering
Contact Us
Contact Us
News Room
Blog
Awards
Events
Webcast: Below the Surface
Contact Us
Trust Center
Privacy Policy
Legal Terms, Conditions and Warranties
Contact Us
 * FREE TRIAL
 * 
 * Partner Portal Login Product Login
   
   --------------------------------------------------------------------------------
   
   Customer Support Community Partner Support Community
 * +1 888 268 4772 Live Chat
 * English
   German French 日本語

 * 
 * Products
 * Solutions
 * Support
 * Partners
 * Company

EMAIL PROTECTION
APPLICATION PROTECTION
NETWORK SECURITY
DATA PROTECTION
MANAGED XDR
Barracuda Email Protection Complete security that stops all 13 email threat
types and protects Microsoft 365 data. Get started in minutes.

--------------------------------------------------------------------------------

THREAT PREVENTION
 * Spam, Malware, and Advanced Threat Protection
 * Phishing and Impersonation Protection
 * Account Takeover Protection
 * Domain Fraud Protection
 * Web Security
 * Zero Trust Access for Microsoft 365

Email Threat Scan
POST-DELIVERY DETECTION AND RESPONSE
 * Incident Response
 * Security Awareness Training

DATA PROTECTION AND COMPLIANCE
 * Email Encryption and Data Loss Prevention
 * Cloud-to-Cloud Backup
 * Cloud Archiving Service
 * Data Inspector

Application Protection Protect all your web apps and APIs with one comprehensive
platform.

--------------------------------------------------------------------------------

USE CASES
Web Application Protection
API Protection
Full Spectrum DDoS Protection
Advanced Bot Protection
Secure App Delivery
Reporting & Analytics
Free Website Vulnerability Scan
DEPLOYMENT OPTIONS
Web Application Firewall
WAF-as-a-Service
Barracuda Network Protection Protect and optimize your network.

--------------------------------------------------------------------------------

USE CASES
Secure Access Service Edge
Next-Generation Security
Secure SD-WAN
Zero Trust Access
Web Security
Industrial Security
PRODUCTS

SecureEdge
Barracuda's new SASE platform
CloudGen Firewall
CloudGen Access
Web Security Gateway
Build and Price
Backup Protect data to minimize downtime and prevent data loss.
Build and Price
Cloud-to-Cloud Backup Get SaaS backup for your Microsoft 365 data with unlimited
storage.
Build and Price
Data Inspector Scan your Microsoft 365 for sensitive data and malware.
Free Scan
Barracuda Managed XDR Rapidly mature your cybersecurity posture with
comprehensive cybersecurity-as-a-service.
All Products A-Z Azure Solutions AWS Solutions SaaS Solutions On-Premises
Solutions
13 Email Threat Types e-book Build your Ransomware Protection
DEPLOYMENTS
INDUSTRIES
TECHNOLOGIES
On-Premises Deployment Options Protect your physical locations with
cloud-connected appliances and software that can be deployed on premises or in
the cloud.
SaaS Deployments Deploy simple and scalable security with no software or
hardware to install.
Amazon Web Services (AWS) Browse our security and network solutions designed
specifically for AWS.
Microsoft Azure Get security and networking solutions that are deployed natively
in Microsoft Azure.
Google Cloud Platform (GCP) Check out our security products for Google Cloud
Platform.
Healthcare Protect patient data and avoid disruptions that could affect patient
care.
Retail Protect your customers and brand from advanced cyber threats.
Financial Services Financial services are a prime target for cyber attacks.
Learn how Barracuda can help.
Education Protect students and faculty from ransomware and other cyber attacks.
Ensure compliance with safe learning regulations.
State and Local Government Explore how Barracuda protects state and local
government websites and data.
Barracuda Security Insights Check out our real-time view of global cyber
threats, collected from millions of data points.
Top 13 Email Threat Types Learn how to protect your organization from all 13
types of email attacks.
Advanced Threat Protection Stop zero-hour and advanced attacks that evade
traditional detection techniques.
Ransomware Protect your business and users from ransomware attacks in three easy
steps.
Microsoft 365 Protect all your email, SharePoint, OneDrive, and Teams data with
protection that goes far beyond what is built into Microsoft 365.
Cyber Liability Insurance Protect your business and support your cyber insurance
policy.
13 Email Threat Types e-book Build your Ransomware Protection
SERVICES
Support Plans and Packages
Energize Updates
Instant Replacement
Barracuda Campus Training
TECHNICAL INFORMATION
Documentation
Knowledgebase
Glossary
Barracuda Security Policies
QUICK LINKS
Join the Barracuda Community
Contact Support
Downloads
Free Trials
Contact Support Downloads Product Login Customer Support Login
Barracuda values partnership. We’re here to help you protect and support your
customers for life with enterprise-grade, cloud-ready security solutions.
PARTNER PORTAL
BECOME A PARTNER
Partners
Channel Partners
MSP Partners
Technology Partners
Find a Partner
Partner Login
WHO WE ARE
About Us
Leadership
Customers
Barracuda Insiders
Careers
Engineering
Contact Us
NEWS AND EVENTS
News Room
Blog
Awards
Events
Webcast: Below the Surface
LEGAL
Trust Center
Privacy Policy
Legal Terms, Conditions and Warranties



 1. Company
 2. Legal
 3. Barracuda Email Security Gateway Appliance (ESG) Vulnerability


BARRACUDA EMAIL SECURITY GATEWAY APPLIANCE (ESG) VULNERABILITY

WE ARE COMMITTED TO

SECURING YOUR DATA




BARRACUDA EMAIL SECURITY GATEWAY APPLIANCE (ESG) VULNERABILITY

JUNE 6th, 2023:

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless
of patch version level. If you have not replaced your appliance after receiving
notice in your UI, contact support now (support@barracuda.com).  

Barracuda’s remediation recommendation at this time is full replacement of the
impacted ESG. 



JUNE 1ST, 2023:


PRELIMINARY SUMMARY OF KEY FINDINGS


DOCUMENT HISTORY

Version/Date Notes 1.0: May 30, 2023 Initial Document 1.1 : June 1, 2023
Additional IOCs and rules included

Barracuda Networks’ priorities throughout this incident have been transparency
and to use this as an opportunity to strengthen our policies, practices, and
technology to further protect against future attacks. Although our investigation
is ongoing, the purpose of this document is to share preliminary findings,
provide the known Indicators of Compromise (IOCs), and share YARA rules to aid
our customers in their investigations, including with respect to their own
environments.

Timeline

 * On May 18, 2023, Barracuda was alerted to anomalous traffic originating from
   Barracuda Email Security Gateway (ESG) appliances.
 * On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security
   experts, to assist in the investigation.
 * On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our
   Email Security Gateway appliance (ESG).
 * On May 20, 2023, a security patch to remediate the vulnerability was applied
   to all ESG appliances worldwide.
 * On May 21, 2023, a script was deployed to all impacted appliances to contain
   the incident and counter unauthorized access methods.
 * A series of security patches are being deployed to all appliances in
   furtherance of our containment strategy.

Key Findings

While the investigation is still on-going, Barracuda has concluded the
following:

 * The vulnerability existed in a module which initially screens the attachments
   of incoming emails. No other Barracuda products, including our SaaS email
   security services, were subject to the vulnerability identified.
 * Earliest identified evidence of exploitation of CVE-2023-2868 is currently
   October 2022.
 * Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized
   access to a subset of ESG appliances.
 * Malware was identified on a subset of appliances allowing for persistent
   backdoor access.
 * Evidence of data exfiltration was identified on a subset of impacted
   appliances..

Users whose appliances we believe were impacted have been notified via the ESG
user interface of actions to take. Barracuda has also reached out to these
specific customers. Additional customers may be identified in the course of the
investigation.

CVE-2023-2868

On May 19, 2023, Barracuda Networks identified a remote command injection
vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway
(appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability
stemmed from incomplete input validation of user supplied .tar files as it
pertains to the names of the files contained within the archive. Consequently, a
remote attacker could format file names in a particular manner that would result
in remotely executing a system command through Perl's qx operator with the
privileges of the Email Security Gateway product.

Barracuda's investigation to date has determined that a third party utilized the
technique described above to gain unauthorized access to a subset of ESG
appliances.

Malware

This section details the malware that has been identified to date, and to assist
in tracking, codenames for the malware have been assigned.

SALTWATER

SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that
contains backdoor functionality. The capabilities of SALTWATER include the
ability to upload or download arbitrary files, execute commands, as well as
proxy and tunneling capabilities.

Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a
subset of ESG appliances.

The backdoor is implemented using hooks on the send, recv, close syscalls and
amounts to five components, most of which are referred to as “Channels” within
the binary. In addition to providing proxying capabilities, these components
exhibit backdoor functionality.  The five (5) channels can be seen in the list
below.

 * DownloadChannel
 * UploadChannel
 * ProxyChannel
 * ShellChannel
 * TunnelArgs

Mandiant is still analyzing SALTWATER to determine if it overlaps with any other
known malware families.

Table 1 below provides the file metadata related to a SALTWATER variant.

Name SHA256 mod_udp.so
1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4

 

MD5 File Type Size (Bytes) 827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643

Table 1: SALTWATER variant metadata

SEASPY

SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda
Networks service and establishes itself as a PCAP filter, specifically
monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains backdoor
functionality that is activated by a "magic packet".

Identified at path: /sbin/ on a subset of ESG appliances.

Mandiant analysis has identified code overlap between SEASPY and cd00r, a
publicly available backdoor.

Table 2 below provides the file metadata related to a SEASPY variant.

Name SHA256 BarracudaMailService
3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115

 

MD5 File Type Size (Bytes) 4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217

Table 2: SEASPY variant metadata

SEASIDE

SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that
monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP
address and port which it passes as arguments to an external binary that
establishes a reverse shell.

Table 3 below provides the file metadata related to a SEASIDE.

Name SHA256 mod_require_helo.lua
fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8

 

MD5 File Type Size (Bytes) cd2813f0260d63ad5adf0446253c2172 Lua module 2,724

Table 3: SEASIDE metadata

Recommendations For Impacted Customers

 1. Ensure your ESG appliance is receiving and applying updates, definitions,
    and security patches from Barracuda. Contact Barracuda support
    (support@barracuda.com) to validate if the appliance is up to date.
 2. Discontinue the use of the compromised ESG appliance and contact Barracuda
    support (support@barracuda.com) to obtain a new ESG virtual or hardware
    appliance.
 3. Rotate any applicable credentials connected to the ESG appliance:
    o  Any connected LDAP/AD
    o  Barracuda Cloud Control
    o  FTP Server
    o  SMB
    o  Any private TLS certificates
 4. Review your network logs for any of the IOCs listed below and any unknown
    IPs. Contact compliance@barracuda.com if any are identified.

To support customers in the investigations of their environments, we are
providing a list of all endpoint and network indicators observed over the course
of the investigation to date. We have also developed a series of YARA rules that
can be found in the section below.

Endpoint IOCs

Table 4 lists the endpoint IOCs, including malware and utilities, attributed to
attacker activity during the investigation.

       File Name   MD5 Hash Type  1 appcheck.sh N/A Bash script 2 aacore.sh N/A
Bash script 3 1.sh N/A Bash script 4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant 5 intent N/A N/A 6 install_helo.tar
2ccb9759800154de817bf779a52d48f8 TAR Package 7 intent_helo
f5ab04a920302931a8bd063f27b745cc Bash script 8 pd
177add288b289d43236d2dba33e65956 Reverse Shell 9 update_v31.sh
881b7846f8384c12c7481b23011d8e45 Bash script 10 mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172 SEASIDE 11 BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04 SEASPY 12 BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942 SEASPY 13 BarracudaMailService
5d6cba7909980a7b424b133fbac634ac SEASPY 14 BarracudaMailService
1bbb32610599d70397adfdaf56109ff3 SEASPY 15 BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074 SEASPY 16 BarracudaMailService
a08a99e5224e1baf569fda816c991045 SEASPY 17 BarracudaMailService
19ebfe05040a8508467f9415c8378f32 SEASPY 18 mod_udp.so
1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant 19 mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant 20 mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant

Table 4: Endpoint IOCs

Network IOCs

Table 5 lists the network IOCs, including IP addresses and domain names,
attributed to attacker activity during the investigation.

    Indicator ASN Location 1 xxl17z.dnslog.cn N/A N/A 2
mx01.bestfindthetruth.com N/A N/A 3 64.176.7.59 AS-CHOOPA US 4 64.176.4.234
AS-CHOOPA US 5 52.23.241.105 AMAZON-AES US 6 23.224.42.5 CloudRadium L.L.C US 7
192.74.254.229 PEG TECH INC US 8 192.74.226.142 PEG TECH INC US 9 155.94.160.72
QuadraNet Enterprises LLC US 10 139.84.227.9 AS-CHOOPA US 11 137.175.60.253 PEG
TECH INC US 12 137.175.53.170 PEG TECH INC US 13 137.175.51.147 PEG TECH INC US
14 137.175.30.36 PEG TECH INC US 15 137.175.28.251 PEG TECH INC US 16
137.175.19.25 PEG TECH INC US 17 107.148.219.227 PEG TECH INC US 18
107.148.219.55 PEG TECH INC US 19 107.148.219.54 PEG TECH INC US 20
107.148.219.53 PEG TECH INC US 21 107.148.219.227 PEG TECH INC US 22
107.148.149.156 PEG TECH INC US 23 104.223.20.222 QuadraNet Enterprises LLC US
24 103.93.78.142 EDGENAP LTD JP 25 103.27.108.62 TOPWAY GLOBAL LIMITED HK 26
137.175.30.86 PEGTECHINC US 27 199.247.23.80 AS-CHOOPA DE 28 38.54.1.82 KAOPU
CLOUD HK LIMITED SG 29 107.148.223.196 PEGTECHINC US 30 23.224.42.29 CNSERVERS
US 31 137.175.53.17 PEGTECHINC US 32 103.146.179.101 GIGABITBANK GLOBAL HK

Table 5: Network IOCs

YARA Rules

CVE-2023-2868

The following three (3) YARA rules can be used to hunt for the malicious TAR
file which exploits CVE-2023-2868:

rule M_Hunting_Exploit_Archive_2
 {
     meta:
         description = "Looks for TAR archive with /tmp/ base64 encoded being
part of filename of enclosed files"
         date_created = "2023-05-26"
         date_modified = "2023-05-26"
         md5 = "0d67f50a0bf7a3a017784146ac41ada0"
         version = "1.0"
     strings:
         $ustar = { 75 73 74 61 72 }
         $b64_tmp = "/tmp/" base64
     condition:
         filesize < 1MB and

         $ustar at 257 and

         for any i in (0 .. #ustar) : (

             $b64_tmp in (i * 512 .. i * 512 + 250)

         )
 }

rule M_Hunting_Exploit_Archive_3
 {
     meta:
         description = "Looks for TAR archive with openssl base64 encoded being
part of filename of enclosed files"
         date_created = "2023-05-26"
         date_modified = "2023-05-26"
         md5 = "0d67f50a0bf7a3a017784146ac41ada0"
         version = "1.0"
     strings:
         $ustar = { 75 73 74 61 72 }
         $b64_openssl = "openssl" base64
     condition:

         filesize < 1MB and
         $ustar at 257 and

         for any i in (0 .. #ustar) : (

             $b64_openssl in (i * 512 .. i * 512 + 250)

         )
 }

rule M_Hunting_Exploit_Archive_CVE_2023_2868
 {
     meta:
         description = "Looks for TAR archive with single quote/backtick as
start of filename of enclosed files. CVE-2023-2868"
         date_created = "2023-05-26"
         date_modified = "2023-05-26"
         md5 = "0d67f50a0bf7a3a017784146ac41ada0"
         version = "1.0"
     strings:
         $ustar = { 75 73 74 61 72 }
         $qb = "'`"
     condition:

         filesize < 1MB and
         $ustar at 257 and

         for any i in (0 .. #ustar) : (

             $qb at (@ustar[i] + 255)

         )
 }

SALTWATER

The following three (3) YARA rule can be used to hunt for SALTWATER:

rule M_Hunting_Linux_Funchook
 {
     strings:
         $f = "funchook_"
         $s1 = "Enter funchook_create()"
         $s2 = "Leave funchook_create() => %p"
         $s3 = "Enter funchook_prepare(%p, %p, %p)"
         $s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
         $s5 = "Enter funchook_install(%p, 0x%x)"
         $s6 = "Leave funchook_install() => %d"
         $s7 = "Enter funchook_uninstall(%p, 0x%x)"
         $s8 = "Leave funchook_uninstall() => %d"
         $s9 = "Enter funchook_destroy(%p)"
         $s10 = "Leave funchook_destroy() => %d"
         $s11 = "Could not modify already-installed funchook handle."
         $s12 = "  change %s address from %p to %p"
         $s13 = "  link_map addr=%p, name=%s"
         $s14 = "  ELF type is neither ET_EXEC nor ET_DYN."
         $s15 = "  not a valid ELF module %s."
         $s16 = "Failed to protect memory %p (size=%"
         $s17 = "  protect memory %p (size=%"
         $s18 = "Failed to unprotect memory %p (size=%"
         $s19 = "  unprotect memory %p (size=%"
         $s20 = "Failed to unprotect page %p (size=%"
         $s21 = "  unprotect page %p (size=%"
         $s22 = "Failed to protect page %p (size=%"
         $s23 = "  protect page %p (size=%"
         $s24 = "Failed to deallocate page %p (size=%"
         $s25 = " deallocate page %p (size=%"
         $s26 = "  allocate page %p (size=%"
         $s27 = "  try to allocate %p but %p (size=%"
         $s28 = "  allocate page %p (size=%"
         $s29 = "Could not find a free region near %p"
         $s30 = "  -- Use address %p or %p for function %p"
     condition:
         filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
 }

rule M_Hunting_Linux_SALTWATER_1
 {
     strings:
         $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
         $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
     condition:
         filesize < 15MB and uint32(0) == 0x464c457f and any of them
 }

rule M_Hunting_Linux_SALTWATER_2
 {
     strings:
         $c1 = "TunnelArgs"
         $c2 = "DownloadChannel"
         $c3 = "UploadChannel"
         $c4 = "ProxyChannel"
         $c5 = "ShellChannel"
         $c6 = "MyWriteAll"
         $c7 = "MyReadAll"
         $c8 = "Connected2Vps"
         $c9 = "CheckRemoteIp"
         $c10 = "GetFileSize"
         $s1 = "[-] error: popen failed"
         $s2 = "/home/product/code/config/ssl_engine_cert.pem"
         $s3 = "libbindshell.so"
     condition:
         filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of
($c*))
 }

The following SNORT rule can be used to hunt for SEASPY magic packets:

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9;
content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count
1,seconds 3600; sid:1000000; rev:1;)

The following SNORT rules require Suricata 5.0.4 or newer and can be used to
hunt for SEASPY magic packets:

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S;
tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track
by_src,count 1,seconds 3600; sid:1000001; rev:1;)

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S;
tcp.hdr; content:"|e6 30|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count
1,seconds 3600; sid:1000002; rev:1;)

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S;
tcp.hdr; content:"|e6 32|"; offset:28; depth:2;
byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative;
threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)

 


MAY 30TH, 2023:


PRELIMINARY SUMMARY OF KEY FINDINGS

Barracuda Networks priorities throughout this incident have been transparency
and to use this as an opportunity to strengthen our policies, practices, and
technology to further protect against future attacks. Although our investigation
is ongoing, the purpose of this document is to share preliminary findings,
provide the known Indicators of Compromise (IOCs), and share YARA rules to aid
our customers in their investigations, including with respect to their own
environments.

Timeline

 * On May 18, 2023, Barracuda was alerted to anomalous traffic originating from
   Barracuda Email Security Gateway (ESG) appliances.
 * On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security
   experts, to assist in the investigation.
 * On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our
   Email Security Gateway appliance (ESG).
 * On May 20, 2023, a security patch to remediate the vulnerability was applied
   to all ESG appliances worldwide.
 * On May 21, 2023, a script was deployed to all impacted appliances to contain
   the incident and counter unauthorized access methods.
 * A series of security patches are being deployed to all appliances in
   furtherance of our containment strategy.

Key Findings

While the investigation is still on-going, Barracuda has concluded the
following:

 * The vulnerability existed in a module which initially screens the attachments
   of incoming emails. No other Barracuda products, including our SaaS email
   security services, were subject to the vulnerability identified.
 * Earliest identified evidence of exploitation of CVE-2023-2868 is currently
   October 2022.
 * Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized
   access to a subset of ESG appliances.
 * Malware was identified on a subset of appliances allowing for persistent
   backdoor access.
 * Evidence of data exfiltration was identified on a subset of impacted
   appliances.

Users whose appliances we believe were impacted have been notified via the ESG
user interface of actions to take. Barracuda has also reached out to these
specific customers. Additional customers may be identified in the course of the
investigation.

CVE-2023-2868

On May 19, 2023, Barracuda Networks identified a remote command injection
vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway
(appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability
stemmed from incomplete input validation of user supplied .tar files as it
pertains to the names of the files contained within the archive. Consequently, a
remote attacker could format file names in a particular manner that would result
in remotely executing a system command through Perl's qx operator with the
privileges of the Email Security Gateway product.

Barracuda's investigation to date has determined that a third party utilized the
technique described above to gain unauthorized access to a subset of ESG
appliances.

Malware

This section details the malware that has been identified to date.

SALTWATER

SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that
contains backdoor functionality. The capabilities of SALTWATER include the
ability to upload or download arbitrary files, execute commands, as well as
proxy and tunneling capabilities.

Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a
subset of ESG appliances.

The backdoor is implemented using hooks on the send, recv, close syscalls and
amounts to five components, most of which are referred to as “Channels” within
the binary. In addition to providing backdoor and proxying capabilities, these
components exhibit classic backdoor functionality.  The five (5) channels can be
seen in the list below.

 * DownloadChannel
 * UploadChannel
 * ProxyChannel
 * ShellChannel
 * TunnelArgs

Mandiant is still analyzing SALTWATER to determine if it overlaps with any other
known malware families. Table 1 below provides the file metadata related to a
SALTWATER variant.

Table 1 below provides the file metadata related to a SALTWATER variant.

Name SHA256 mod_udp.so
1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4

 

MD5 File Type Size (Bytes) 827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643

Table 1: SALTWATER variant metadata

SEASPY

SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda
Networks service and establishes itself as a PCAP filter, specifically
monitoring traffic on port 25 (SMTP). SEASPY also contains backdoor
functionality that is activated by a "magic packet".

Identified at path: /sbin/ on a subset of ESG appliances.

Mandiant analysis has identified code overlap between SEASPY and cd00r, a
publicly available backdoor.

Table 2 below provides the file metadata related to a SEASPY variant.

Name SHA256 BarracudaMailService
3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115

 

MD5 File Type Size (Bytes) 4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217

Table 2: SEASPY variant metadata

SEASIDE

SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that
monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP
address and port which it passes as arguments to an external binary that
establishes a reverse shell.

Table 3 below provides the file metadata related to a SEASIDE.

Name SHA256 mod_require_helo.lua
fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8

 

MD5 File Type Size (Bytes) cd2813f0260d63ad5adf0446253c2172 Lua module 2,724

Table 3: SEASIDE metadata

Recommendations For Impacted Customers

 1. Ensure your ESG appliance is receiving and applying updates, definitions,
    and security patches from Barracuda. Contact Barracuda support
    (support@barracuda.com) to validate if the appliance is up to date.
 2. Discontinue the use of the compromised ESG appliance and contact Barracuda
    support (support@barracuda.com) to obtain a new ESG virtual or hardware
    appliance.
 3. Rotate any applicable credentials connected to the ESG appliance:
    o  Any connected LDAP/AD
    o  Barracuda Cloud Control
    o  FTP Server
    o  SMB
    o  Any private TLS certificates
 4. Review your network logs for any of the IOCs listed below and any unknown
    IPs. Contact compliance@barracuda.com if any are identified.

To support customers in the investigations of their environments, we are
providing a list of all endpoint and network indicators observed over the course
of the investigation to date. We have also developed a series of YARA rules that
can be found in the section below.

Endpoint IOCs

Table 4 lists the endpoint IOCs, including malware and utilities, attributed to
attacker activity during the investigation.

       File Name   MD5 Hash Type  1 appcheck.sh N/A Bash script 2 aacore.sh N/A
Bash script 3 1.sh N/A Bash script 4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant 5 intent N/A N/A 6 install_helo.tar
2ccb9759800154de817bf779a52d48f8 TAR Package 7 intent_helo
f5ab04a920302931a8bd063f27b745cc Bash script 8 pd
177add288b289d43236d2dba33e65956 Reverse Shell 9 update_v31.sh
881b7846f8384c12c7481b23011d8e45 Bash script 10 mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172 SEASIDE 11 BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04 SEASPY 12 BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942 SEASPY 13 BarracudaMailService
5d6cba7909980a7b424b133fbac634ac SEASPY 14 BarracudaMailService
1bbb32610599d70397adfdaf56109ff3 SEASPY 15 BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074 SEASPY 16 BarracudaMailService
a08a99e5224e1baf569fda816c991045 SEASPY 17 BarracudaMailService
19ebfe05040a8508467f9415c8378f32 SEASPY 18 mod_udp.so
1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant 19 mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant 20 mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant

Table 4: Endpoint IOCs

Network IOCs

Table 5 lists the network IOCs, including IP addresses and domain names,
attributed to attacker activity during the investigation.

    Indicator ASN Location 1 xxl17z.dnslog.cn N/A N/A 2
mx01.bestfindthetruth.com N/A N/A 3 64.176.7.59 AS-CHOOPA US 4 64.176.4.234
AS-CHOOPA US 5 52.23.241.105 AMAZON-AES US 6 23.224.42.5 CloudRadium L.L.C US 7
192.74.254.229 PEG TECH INC US 8 192.74.226.142 PEG TECH INC US 9 155.94.160.72
QuadraNet Enterprises LLC US 10 139.84.227.9 AS-CHOOPA US 11 137.175.60.253 PEG
TECH INC US 12 137.175.53.170 PEG TECH INC US 13 137.175.51.147 PEG TECH INC US
14 137.175.30.36 PEG TECH INC US 15 137.175.28.251 PEG TECH INC US 16
137.175.19.25 PEG TECH INC US 17 107.148.219.227 PEG TECH INC US 18
107.148.219.55 PEG TECH INC US 19 107.148.219.54 PEG TECH INC US 20
107.148.219.53 PEG TECH INC US 21 107.148.219.227 PEG TECH INC US 22
107.148.149.156 PEG TECH INC US 23 104.223.20.222 QuadraNet Enterprises LLC US
24 103.93.78.142 EDGENAP LTD JP 25 103.27.108.62 TOPWAY GLOBAL LIMITED HK

Table 5: Network IOCs

YARA Rules

CVE-2023-2868

The following three (3) YARA rules can be used to hunt for the malicious TAR
file which exploits CVE-2023-2868:

rule M_Hunting_Exploit_Archive_2
 {
     meta:
         description = "Looks for TAR archive with /tmp/ base64 encoded being
part of filename of enclosed files"
         date_created = "2023-05-26"
         date_modified = "2023-05-26"
         md5 = "0d67f50a0bf7a3a017784146ac41ada0"
         version = "1.0"
     strings:
         $ustar = { 75 73 74 61 72 }
         $b64_tmp = "/tmp/" base64
     condition:
         filesize < 1MB and

         $ustar at 257 and

         for any i in (0 .. #ustar) : (

             $b64_tmp in (i * 512 .. i * 512 + 250)

         )
 }

rule M_Hunting_Exploit_Archive_3
 {
     meta:
         description = "Looks for TAR archive with openssl base64 encoded being
part of filename of enclosed files"
         date_created = "2023-05-26"
         date_modified = "2023-05-26"
         md5 = "0d67f50a0bf7a3a017784146ac41ada0"
         version = "1.0"
     strings:
         $ustar = { 75 73 74 61 72 }
         $b64_openssl = "openssl" base64
     condition:

         filesize < 1MB and
         $ustar at 257 and

         for any i in (0 .. #ustar) : (

             $b64_openssl in (i * 512 .. i * 512 + 250)

         )
 }

rule M_Hunting_Exploit_Archive_CVE_2023_2868
 {
     meta:
         description = "Looks for TAR archive with single quote/backtick as
start of filename of enclosed files. CVE-2023-2868"
         date_created = "2023-05-26"
         date_modified = "2023-05-26"
         md5 = "0d67f50a0bf7a3a017784146ac41ada0"
         version = "1.0"
     strings:
         $ustar = { 75 73 74 61 72 }
         $qb = "'`"
     condition:

         filesize < 1MB and
         $ustar at 257 and

         for any i in (0 .. #ustar) : (

             $qb at (@ustar[i] + 255)

         )
 }

SALTWATER

The following three (3) YARA rule can be used to hunt for SALTWATER:

rule M_Hunting_Linux_Funchook
 {
     strings:
         $f = "funchook_"
         $s1 = "Enter funchook_create()"
         $s2 = "Leave funchook_create() => %p"
         $s3 = "Enter funchook_prepare(%p, %p, %p)"
         $s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
         $s5 = "Enter funchook_install(%p, 0x%x)"
         $s6 = "Leave funchook_install() => %d"
         $s7 = "Enter funchook_uninstall(%p, 0x%x)"
         $s8 = "Leave funchook_uninstall() => %d"
         $s9 = "Enter funchook_destroy(%p)"
         $s10 = "Leave funchook_destroy() => %d"
         $s11 = "Could not modify already-installed funchook handle."
         $s12 = "  change %s address from %p to %p"
         $s13 = "  link_map addr=%p, name=%s"
         $s14 = "  ELF type is neither ET_EXEC nor ET_DYN."
         $s15 = "  not a valid ELF module %s."
         $s16 = "Failed to protect memory %p (size=%"
         $s17 = "  protect memory %p (size=%"
         $s18 = "Failed to unprotect memory %p (size=%"
         $s19 = "  unprotect memory %p (size=%"
         $s20 = "Failed to unprotect page %p (size=%"
         $s21 = "  unprotect page %p (size=%"
         $s22 = "Failed to protect page %p (size=%"
         $s23 = "  protect page %p (size=%"
         $s24 = "Failed to deallocate page %p (size=%"
         $s25 = " deallocate page %p (size=%"
         $s26 = "  allocate page %p (size=%"
         $s27 = "  try to allocate %p but %p (size=%"
         $s28 = "  allocate page %p (size=%"
         $s29 = "Could not find a free region near %p"
         $s30 = "  -- Use address %p or %p for function %p"
     condition:
         filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
 }

rule M_Hunting_Linux_SALTWATER_1
 {
     strings:
         $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
         $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41
71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
     condition:
         filesize < 15MB and uint32(0) == 0x464c457f and any of them
 }

rule M_Hunting_Linux_SALTWATER_2
 {
     strings:
         $c1 = "TunnelArgs"
         $c2 = "DownloadChannel"
         $c3 = "UploadChannel"
         $c4 = "ProxyChannel"
         $c5 = "ShellChannel"
         $c6 = "MyWriteAll"
         $c7 = "MyReadAll"
         $c8 = "Connected2Vps"
         $c9 = "CheckRemoteIp"
         $c10 = "GetFileSize"
         $s1 = "[-] error: popen failed"
         $s2 = "/home/product/code/config/ssl_engine_cert.pem"
         $s3 = "libbindshell.so"
     condition:
         filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of
($c*))
 }

 


MAY 23RD, 2023:

Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security
Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the
vulnerability was applied to all ESG appliances worldwide on Saturday, May 20,
2023. The vulnerability existed in a module which initially screens the
attachments of incoming emails. No other Barracuda products, including our SaaS
email security services, were subject to this vulnerability.

We took immediate steps to investigate this vulnerability. Based on our
investigation to date, we’ve identified that the vulnerability resulted in
unauthorized access to a subset of email gateway appliances. As part of our
containment strategy, all ESG appliances have received a second patch on May 21,
2023. Users whose appliances we believe were impacted have been notified via the
ESG user interface of actions to take. Barracuda has also reached out to these
specific customers.

We will continue actively monitoring this situation, and we will be transparent
in sharing details on what actions we are taking. Information gathering is
ongoing as part of the investigation. We want to ensure we only share validated
information with actionable steps for you to take. As we have information to
share, we will provide updates via this product status page
(https://status.barracuda.com) and direct outreach to impacted customers.
Updates are also located on Barracuda’s Trust Center
(https://www.barracuda.com/company/legal).

Barracuda’s investigation was limited to the ESG product, and not the customer’s
specific environment. Therefore, impacted customers should review their
environments and determine any additional actions they want to take.

Your trust is important to us. We thank you for your understanding and support
as we work through this issue and sincerely apologize for any inconvenience it
may cause. If you have any questions, please reach out to support@barracuda.com.

Privacy Policy | Website Terms & Conditions

© 2003 - 2023 Barracuda Networks, Inc.

All rights reserved.

 * 
 * 
 * 
 * 
 * 
 * 

Privacy Policy | Website Terms & Conditions

© 2003 - 2023 Barracuda Networks, Inc. All rights reserved.

 * Legal Terms, Conditions and Warranties

Site Map
 * Products
 * Solutions
 * Purchase
 * Support
 * Partners
 * Company
 * Glossary
 * Site Map

Our Websites
 * Threat Intelligence
 * MSP Solutions

Contact Us
 * Phone: +1 888 268 4772
 * Contact Sales
 * Contact Support
 * Contact Legal
 * View More

Connect
 * Facebook
 * Twitter
 * YouTube
 * LinkedIn
 * Instagram
 * Corporate Blog


 X




$H2

$hl

X


HOW BARRACUDA USES COOKIES




YOUR PRIVACY


YOUR PRIVACY

Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.


 * STRICTLY NECESSARY COOKIES
   
   
   STRICTLY NECESSARY COOKIES
   
   Always Active
   Strictly Necessary Cookies
   
   These cookies are necessary for the website to function and cannot be
   switched off in our systems. They are usually only set in response to actions
   made by you which amount to a request for services, such as setting your
   privacy preferences, logging in or filling in forms. You can set your browser
   to block or alert you about these cookies, but some parts of the site will
   not then work.


 * ANALYTICS COOKIES
   
   
   ANALYTICS COOKIES
   
   Analytics Cookies
   
   These cookies help Barracuda to understand how visitors to our pages engage
   within their session. Analytics Cookies assist in generating reporting site
   usage statistics which do not personally identify individual users.


 * PERFORMANCE COOKIES
   
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to count visits and traffic sources so we can measure
   and improve the performance of our site. They help us to know which pages are
   the most and least popular and see how visitors move around the site. If you
   do not allow these cookies we will not know when you have visited our site,
   and will not be able to monitor its performance.


 * TARGETING COOKIES
   
   
   TARGETING COOKIES
   
   Targeting Cookies
   
   These cookies may be set through our site by our advertising partners. They
   may be used by those companies to build a profile of your interests and show
   you relevant adverts on other sites. They do not directly identify you, but
   are based on uniquely identifying your browser and internet device. If you do
   not allow these cookies, you will experience less targeted advertising.


 * FUNCTIONAL COOKIES
   
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalisation. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All

 * REPLACE-WITH-DYANMIC-HOST-ID
   
   
   33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
   
    * Name
      cookie name

 * REPLACE-WITH-DYANMIC-VENDOR-ID
   
   
   33ACROSS
   
   3 Purposes
   
   View Privacy Notice
   
   
   
   33ACROSS
   
   3 Purposes
   
   View Privacy Notice
   
   REPLACE-WITH-DYANMIC-VENDOR-ID
   
   Consent Purposes
   
   Location Based Ads
   
   Consent Allowed
   
   Legitimate Interest Purposes
   
   Personalize
   
   Require Opt-Out
   
   Special Purposes
   
   Location Based Ads
   
   Features
   
   Location Based Ads
   
   Special Features
   
   Location Based Ads



Clear Filters

Information storage and access
Apply
Confirm My Choices



COOKIE ACCEPTANCE

We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.

Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy

Accept All Cookies
Cookie Preferences