www.barracuda.com
Open in
urlscan Pro
20.26.48.74
Public Scan
URL:
https://www.barracuda.com/company/legal/esg-vulnerability
Submission: On June 12 via api from IN — Scanned from GB
Submission: On June 12 via api from IN — Scanned from GB
Form analysis
2 forms found in the DOMGET
<form class="cmp-header__mobile__search-form" accept-charset="utf-8" method="GET">
<input class="cmp-header__mobile__search-form__input addsearch addsearch-written" type="text" data-analytics-id="search" autocomplete="off" size="20" name="addsearch" title="search" data-addsearch-field="true" id="mobile-search-input"
aria-label="Search field" style="cursor: auto;">
</form>
GET
<form accept-charset="utf-8" class="cmp-header__top-menu__search-form" data-cmp-hook-header="desktopSearchForm" method="GET">
<input type="text" data-analytics-id="search" autocomplete="off" size="20" data-cmp-hook-header="desktopSearchInput" class="cmp-header__top-menu__search-form__input addsearch addsearch-written" name="addsearch" title="search"
data-addsearch-field="true" id="desktop-search-input" aria-label="Search field" style="cursor: auto;">
</form>
Text Content
Introducing Barracuda SecureEdge, enterprise-grade SASE for your business MENU HOME X PRODUCTS SOLUTIONS SUPPORT PARTNERS COMPANY 13 Threat Types e-book Build your Ransomware Protection Languages EMAIL PROTECTION APPLICATION PROTECTION NETWORK SECURITY DATA PROTECTION MANAGED XDR AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products A-Z DEPLOYMENTS INDUSTRIES TECHNOLOGIES 13 Threat Types eBook Build your Ransomware Protection SERVICES TECHNICAL INFORMATION QUICK LINKS Contact Support Downloads Product Login Customer Support Login Channel Partners MSP Partners Technology Partners Find a Partner Partner Portal Login Become a Partner WHO WE ARE NEWS AND EVENTS LEGAL Contact Us English Deutsch Français 日本語 Email Protection Complete security that stops all 13 email threat types and protects Microsoft 365 data. Get started in minutes. * THREAT PREVENTION * Spam, Malware, and Advanced Threat Protection * Phishing and Impersonation Protection * Account Takeover Protection * Domain Fraud Protection * Web Security * Zero Trust Access for Microsoft 365 * Free Email Threat Scan * POST-DELIVERY DETECTION AND RESPONSE * Incident Response * Security Awareness Training * DATA PROTECTION AND COMPLIANCE * Email Encryption and Data Loss Prevention * Cloud-to-Cloud Backup * Cloud Archiving Service * Data Inspector AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products A-Z APPLICATION PROTECTION Protect all your web apps and APIs with one comprehensive platform. * USE CASES * Web Application Protection * API Protection * Full Spectrum DDoS Protection * Advanced Bot Protection * Secure App Delivery * Reporting & Analytics * Free Website Vulnerability Scan * DEPLOYMENT OPTIONS * Web Application Firewall * WAF-as-a-Service AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products A-Z Barracuda Network Protection Protect and optimize your network. * USE CASES * Secure Access Service Edge * Next-Generation Security * Secure SD-WAN * Zero Trust Access * Web Security * Industrial Security * PRODUCTS * SecureEdge New * CloudGen Firewall * CloudGen Access * Web Security Gateway * Build and Price AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products A-Z Backup * Build and Price Cloud-to-Cloud Backup * Build and Price Data Inspector * Free Scan AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products A-Z Barracuda Managed XDR New Rapidly mature your cybersecurity posture with comprehensive cybersecurity-as-a-service. AWS Solutions SaaS Solutions Azure Solutions On-premises Solutions All Products A-Z On-Premises Deployment Options SaaS Deployments Amazon Web Services (AWS) Microsoft Azure Google Cloud Platform (GCP) 13 Threat Types eBook Build your Ransomware Protection Healthcare Retail Financial Services Education State and Local Government 13 Threat Types eBook Build your Ransomware Protection Barracuda Security Insights Top 13 Email Threat Types Advanced Threat Protection Ransomware Microsoft 365 Cyber Liability Insurance 13 Threat Types eBook Build your Ransomware Protection Support Plans and Packages Energize Updates Instant Replacement Hardware Refresh Barracuda Campus Training Contact Support Downloads Product Login Customer Support Login Documentation Knowledgebase Glossary Barracuda Security Policies Contact Support Downloads Product Login Customer Support Login Join the Barracuda Community Contact Support Downloads Free Trials Contact Support Downloads Product Login Customer Support Login Partner Portal Login Become a Partner About Us Leadership Customers Barracuda Insiders Careers Engineering Contact Us Contact Us News Room Blog Awards Events Webcast: Below the Surface Contact Us Trust Center Privacy Policy Legal Terms, Conditions and Warranties Contact Us * FREE TRIAL * * Partner Portal Login Product Login -------------------------------------------------------------------------------- Customer Support Community Partner Support Community * +1 888 268 4772 Live Chat * English German French 日本語 * * Products * Solutions * Support * Partners * Company EMAIL PROTECTION APPLICATION PROTECTION NETWORK SECURITY DATA PROTECTION MANAGED XDR Barracuda Email Protection Complete security that stops all 13 email threat types and protects Microsoft 365 data. Get started in minutes. -------------------------------------------------------------------------------- THREAT PREVENTION * Spam, Malware, and Advanced Threat Protection * Phishing and Impersonation Protection * Account Takeover Protection * Domain Fraud Protection * Web Security * Zero Trust Access for Microsoft 365 Email Threat Scan POST-DELIVERY DETECTION AND RESPONSE * Incident Response * Security Awareness Training DATA PROTECTION AND COMPLIANCE * Email Encryption and Data Loss Prevention * Cloud-to-Cloud Backup * Cloud Archiving Service * Data Inspector Application Protection Protect all your web apps and APIs with one comprehensive platform. -------------------------------------------------------------------------------- USE CASES Web Application Protection API Protection Full Spectrum DDoS Protection Advanced Bot Protection Secure App Delivery Reporting & Analytics Free Website Vulnerability Scan DEPLOYMENT OPTIONS Web Application Firewall WAF-as-a-Service Barracuda Network Protection Protect and optimize your network. -------------------------------------------------------------------------------- USE CASES Secure Access Service Edge Next-Generation Security Secure SD-WAN Zero Trust Access Web Security Industrial Security PRODUCTS SecureEdge Barracuda's new SASE platform CloudGen Firewall CloudGen Access Web Security Gateway Build and Price Backup Protect data to minimize downtime and prevent data loss. Build and Price Cloud-to-Cloud Backup Get SaaS backup for your Microsoft 365 data with unlimited storage. Build and Price Data Inspector Scan your Microsoft 365 for sensitive data and malware. Free Scan Barracuda Managed XDR Rapidly mature your cybersecurity posture with comprehensive cybersecurity-as-a-service. All Products A-Z Azure Solutions AWS Solutions SaaS Solutions On-Premises Solutions 13 Email Threat Types e-book Build your Ransomware Protection DEPLOYMENTS INDUSTRIES TECHNOLOGIES On-Premises Deployment Options Protect your physical locations with cloud-connected appliances and software that can be deployed on premises or in the cloud. SaaS Deployments Deploy simple and scalable security with no software or hardware to install. Amazon Web Services (AWS) Browse our security and network solutions designed specifically for AWS. Microsoft Azure Get security and networking solutions that are deployed natively in Microsoft Azure. Google Cloud Platform (GCP) Check out our security products for Google Cloud Platform. Healthcare Protect patient data and avoid disruptions that could affect patient care. Retail Protect your customers and brand from advanced cyber threats. Financial Services Financial services are a prime target for cyber attacks. Learn how Barracuda can help. Education Protect students and faculty from ransomware and other cyber attacks. Ensure compliance with safe learning regulations. State and Local Government Explore how Barracuda protects state and local government websites and data. Barracuda Security Insights Check out our real-time view of global cyber threats, collected from millions of data points. Top 13 Email Threat Types Learn how to protect your organization from all 13 types of email attacks. Advanced Threat Protection Stop zero-hour and advanced attacks that evade traditional detection techniques. Ransomware Protect your business and users from ransomware attacks in three easy steps. Microsoft 365 Protect all your email, SharePoint, OneDrive, and Teams data with protection that goes far beyond what is built into Microsoft 365. Cyber Liability Insurance Protect your business and support your cyber insurance policy. 13 Email Threat Types e-book Build your Ransomware Protection SERVICES Support Plans and Packages Energize Updates Instant Replacement Barracuda Campus Training TECHNICAL INFORMATION Documentation Knowledgebase Glossary Barracuda Security Policies QUICK LINKS Join the Barracuda Community Contact Support Downloads Free Trials Contact Support Downloads Product Login Customer Support Login Barracuda values partnership. We’re here to help you protect and support your customers for life with enterprise-grade, cloud-ready security solutions. PARTNER PORTAL BECOME A PARTNER Partners Channel Partners MSP Partners Technology Partners Find a Partner Partner Login WHO WE ARE About Us Leadership Customers Barracuda Insiders Careers Engineering Contact Us NEWS AND EVENTS News Room Blog Awards Events Webcast: Below the Surface LEGAL Trust Center Privacy Policy Legal Terms, Conditions and Warranties 1. Company 2. Legal 3. Barracuda Email Security Gateway Appliance (ESG) Vulnerability BARRACUDA EMAIL SECURITY GATEWAY APPLIANCE (ESG) VULNERABILITY WE ARE COMMITTED TO SECURING YOUR DATA BARRACUDA EMAIL SECURITY GATEWAY APPLIANCE (ESG) VULNERABILITY JUNE 6th, 2023: ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com). Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG. JUNE 1ST, 2023: PRELIMINARY SUMMARY OF KEY FINDINGS DOCUMENT HISTORY Version/Date Notes 1.0: May 30, 2023 Initial Document 1.1 : June 1, 2023 Additional IOCs and rules included Barracuda Networks’ priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments. Timeline * On May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway (ESG) appliances. * On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation. * On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance (ESG). * On May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide. * On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods. * A series of security patches are being deployed to all appliances in furtherance of our containment strategy. Key Findings While the investigation is still on-going, Barracuda has concluded the following: * The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified. * Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. * Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances. * Malware was identified on a subset of appliances allowing for persistent backdoor access. * Evidence of data exfiltration was identified on a subset of impacted appliances.. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation. CVE-2023-2868 On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. Barracuda's investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances. Malware This section details the malware that has been identified to date, and to assist in tracking, codenames for the malware have been assigned. SALTWATER SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy and tunneling capabilities. Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances. The backdoor is implemented using hooks on the send, recv, close syscalls and amounts to five components, most of which are referred to as “Channels” within the binary. In addition to providing proxying capabilities, these components exhibit backdoor functionality. The five (5) channels can be seen in the list below. * DownloadChannel * UploadChannel * ProxyChannel * ShellChannel * TunnelArgs Mandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families. Table 1 below provides the file metadata related to a SALTWATER variant. Name SHA256 mod_udp.so 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4 MD5 File Type Size (Bytes) 827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643 Table 1: SALTWATER variant metadata SEASPY SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains backdoor functionality that is activated by a "magic packet". Identified at path: /sbin/ on a subset of ESG appliances. Mandiant analysis has identified code overlap between SEASPY and cd00r, a publicly available backdoor. Table 2 below provides the file metadata related to a SEASPY variant. Name SHA256 BarracudaMailService 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 MD5 File Type Size (Bytes) 4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217 Table 2: SEASPY variant metadata SEASIDE SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell. Table 3 below provides the file metadata related to a SEASIDE. Name SHA256 mod_require_helo.lua fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8 MD5 File Type Size (Bytes) cd2813f0260d63ad5adf0446253c2172 Lua module 2,724 Table 3: SEASIDE metadata Recommendations For Impacted Customers 1. Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date. 2. Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance. 3. Rotate any applicable credentials connected to the ESG appliance: o Any connected LDAP/AD o Barracuda Cloud Control o FTP Server o SMB o Any private TLS certificates 4. Review your network logs for any of the IOCs listed below and any unknown IPs. Contact compliance@barracuda.com if any are identified. To support customers in the investigations of their environments, we are providing a list of all endpoint and network indicators observed over the course of the investigation to date. We have also developed a series of YARA rules that can be found in the section below. Endpoint IOCs Table 4 lists the endpoint IOCs, including malware and utilities, attributed to attacker activity during the investigation. File Name MD5 Hash Type 1 appcheck.sh N/A Bash script 2 aacore.sh N/A Bash script 3 1.sh N/A Bash script 4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8 SALTWATER Variant 5 intent N/A N/A 6 install_helo.tar 2ccb9759800154de817bf779a52d48f8 TAR Package 7 intent_helo f5ab04a920302931a8bd063f27b745cc Bash script 8 pd 177add288b289d43236d2dba33e65956 Reverse Shell 9 update_v31.sh 881b7846f8384c12c7481b23011d8e45 Bash script 10 mod_require_helo.lua cd2813f0260d63ad5adf0446253c2172 SEASIDE 11 BarracudaMailService 82eaf69de710abdc5dea7cd5cb56cf04 SEASPY 12 BarracudaMailService e80a85250263d58cc1a1dc39d6cf3942 SEASPY 13 BarracudaMailService 5d6cba7909980a7b424b133fbac634ac SEASPY 14 BarracudaMailService 1bbb32610599d70397adfdaf56109ff3 SEASPY 15 BarracudaMailService 4b511567cfa8dbaa32e11baf3268f074 SEASPY 16 BarracudaMailService a08a99e5224e1baf569fda816c991045 SEASPY 17 BarracudaMailService 19ebfe05040a8508467f9415c8378f32 SEASPY 18 mod_udp.so 1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant 19 mod_udp.so 64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant 20 mod_udp.so 4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant Table 4: Endpoint IOCs Network IOCs Table 5 lists the network IOCs, including IP addresses and domain names, attributed to attacker activity during the investigation. Indicator ASN Location 1 xxl17z.dnslog.cn N/A N/A 2 mx01.bestfindthetruth.com N/A N/A 3 64.176.7.59 AS-CHOOPA US 4 64.176.4.234 AS-CHOOPA US 5 52.23.241.105 AMAZON-AES US 6 23.224.42.5 CloudRadium L.L.C US 7 192.74.254.229 PEG TECH INC US 8 192.74.226.142 PEG TECH INC US 9 155.94.160.72 QuadraNet Enterprises LLC US 10 139.84.227.9 AS-CHOOPA US 11 137.175.60.253 PEG TECH INC US 12 137.175.53.170 PEG TECH INC US 13 137.175.51.147 PEG TECH INC US 14 137.175.30.36 PEG TECH INC US 15 137.175.28.251 PEG TECH INC US 16 137.175.19.25 PEG TECH INC US 17 107.148.219.227 PEG TECH INC US 18 107.148.219.55 PEG TECH INC US 19 107.148.219.54 PEG TECH INC US 20 107.148.219.53 PEG TECH INC US 21 107.148.219.227 PEG TECH INC US 22 107.148.149.156 PEG TECH INC US 23 104.223.20.222 QuadraNet Enterprises LLC US 24 103.93.78.142 EDGENAP LTD JP 25 103.27.108.62 TOPWAY GLOBAL LIMITED HK 26 137.175.30.86 PEGTECHINC US 27 199.247.23.80 AS-CHOOPA DE 28 38.54.1.82 KAOPU CLOUD HK LIMITED SG 29 107.148.223.196 PEGTECHINC US 30 23.224.42.29 CNSERVERS US 31 137.175.53.17 PEGTECHINC US 32 103.146.179.101 GIGABITBANK GLOBAL HK Table 5: Network IOCs YARA Rules CVE-2023-2868 The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868: rule M_Hunting_Exploit_Archive_2 { meta: description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $b64_tmp = "/tmp/" base64 condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_tmp in (i * 512 .. i * 512 + 250) ) } rule M_Hunting_Exploit_Archive_3 { meta: description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $b64_openssl = "openssl" base64 condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_openssl in (i * 512 .. i * 512 + 250) ) } rule M_Hunting_Exploit_Archive_CVE_2023_2868 { meta: description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $qb = "'`" condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $qb at (@ustar[i] + 255) ) } SALTWATER The following three (3) YARA rule can be used to hunt for SALTWATER: rule M_Hunting_Linux_Funchook { strings: $f = "funchook_" $s1 = "Enter funchook_create()" $s2 = "Leave funchook_create() => %p" $s3 = "Enter funchook_prepare(%p, %p, %p)" $s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d" $s5 = "Enter funchook_install(%p, 0x%x)" $s6 = "Leave funchook_install() => %d" $s7 = "Enter funchook_uninstall(%p, 0x%x)" $s8 = "Leave funchook_uninstall() => %d" $s9 = "Enter funchook_destroy(%p)" $s10 = "Leave funchook_destroy() => %d" $s11 = "Could not modify already-installed funchook handle." $s12 = " change %s address from %p to %p" $s13 = " link_map addr=%p, name=%s" $s14 = " ELF type is neither ET_EXEC nor ET_DYN." $s15 = " not a valid ELF module %s." $s16 = "Failed to protect memory %p (size=%" $s17 = " protect memory %p (size=%" $s18 = "Failed to unprotect memory %p (size=%" $s19 = " unprotect memory %p (size=%" $s20 = "Failed to unprotect page %p (size=%" $s21 = " unprotect page %p (size=%" $s22 = "Failed to protect page %p (size=%" $s23 = " protect page %p (size=%" $s24 = "Failed to deallocate page %p (size=%" $s25 = " deallocate page %p (size=%" $s26 = " allocate page %p (size=%" $s27 = " try to allocate %p but %p (size=%" $s28 = " allocate page %p (size=%" $s29 = "Could not find a free region near %p" $s30 = " -- Use address %p or %p for function %p" condition: filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*)) } rule M_Hunting_Linux_SALTWATER_1 { strings: $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 } $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 } condition: filesize < 15MB and uint32(0) == 0x464c457f and any of them } rule M_Hunting_Linux_SALTWATER_2 { strings: $c1 = "TunnelArgs" $c2 = "DownloadChannel" $c3 = "UploadChannel" $c4 = "ProxyChannel" $c5 = "ShellChannel" $c6 = "MyWriteAll" $c7 = "MyReadAll" $c8 = "Connected2Vps" $c9 = "CheckRemoteIp" $c10 = "GetFileSize" $s1 = "[-] error: popen failed" $s2 = "/home/product/code/config/ssl_engine_cert.pem" $s3 = "libbindshell.so" condition: filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*)) } The following SNORT rule can be used to hunt for SEASPY magic packets: alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9; content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;) The following SNORT rules require Suricata 5.0.4 or newer and can be used to hunt for SEASPY magic packets: alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S; tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;) alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S; tcp.hdr; content:"|e6 30|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;) alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S; tcp.hdr; content:"|e6 32|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;) MAY 30TH, 2023: PRELIMINARY SUMMARY OF KEY FINDINGS Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments. Timeline * On May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway (ESG) appliances. * On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation. * On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance (ESG). * On May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide. * On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods. * A series of security patches are being deployed to all appliances in furtherance of our containment strategy. Key Findings While the investigation is still on-going, Barracuda has concluded the following: * The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified. * Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. * Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances. * Malware was identified on a subset of appliances allowing for persistent backdoor access. * Evidence of data exfiltration was identified on a subset of impacted appliances. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation. CVE-2023-2868 On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. Barracuda's investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances. Malware This section details the malware that has been identified to date. SALTWATER SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy and tunneling capabilities. Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances. The backdoor is implemented using hooks on the send, recv, close syscalls and amounts to five components, most of which are referred to as “Channels” within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality. The five (5) channels can be seen in the list below. * DownloadChannel * UploadChannel * ProxyChannel * ShellChannel * TunnelArgs Mandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families. Table 1 below provides the file metadata related to a SALTWATER variant. Table 1 below provides the file metadata related to a SALTWATER variant. Name SHA256 mod_udp.so 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4 MD5 File Type Size (Bytes) 827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643 Table 1: SALTWATER variant metadata SEASPY SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also contains backdoor functionality that is activated by a "magic packet". Identified at path: /sbin/ on a subset of ESG appliances. Mandiant analysis has identified code overlap between SEASPY and cd00r, a publicly available backdoor. Table 2 below provides the file metadata related to a SEASPY variant. Name SHA256 BarracudaMailService 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 MD5 File Type Size (Bytes) 4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217 Table 2: SEASPY variant metadata SEASIDE SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell. Table 3 below provides the file metadata related to a SEASIDE. Name SHA256 mod_require_helo.lua fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8 MD5 File Type Size (Bytes) cd2813f0260d63ad5adf0446253c2172 Lua module 2,724 Table 3: SEASIDE metadata Recommendations For Impacted Customers 1. Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date. 2. Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance. 3. Rotate any applicable credentials connected to the ESG appliance: o Any connected LDAP/AD o Barracuda Cloud Control o FTP Server o SMB o Any private TLS certificates 4. Review your network logs for any of the IOCs listed below and any unknown IPs. Contact compliance@barracuda.com if any are identified. To support customers in the investigations of their environments, we are providing a list of all endpoint and network indicators observed over the course of the investigation to date. We have also developed a series of YARA rules that can be found in the section below. Endpoint IOCs Table 4 lists the endpoint IOCs, including malware and utilities, attributed to attacker activity during the investigation. File Name MD5 Hash Type 1 appcheck.sh N/A Bash script 2 aacore.sh N/A Bash script 3 1.sh N/A Bash script 4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8 SALTWATER Variant 5 intent N/A N/A 6 install_helo.tar 2ccb9759800154de817bf779a52d48f8 TAR Package 7 intent_helo f5ab04a920302931a8bd063f27b745cc Bash script 8 pd 177add288b289d43236d2dba33e65956 Reverse Shell 9 update_v31.sh 881b7846f8384c12c7481b23011d8e45 Bash script 10 mod_require_helo.lua cd2813f0260d63ad5adf0446253c2172 SEASIDE 11 BarracudaMailService 82eaf69de710abdc5dea7cd5cb56cf04 SEASPY 12 BarracudaMailService e80a85250263d58cc1a1dc39d6cf3942 SEASPY 13 BarracudaMailService 5d6cba7909980a7b424b133fbac634ac SEASPY 14 BarracudaMailService 1bbb32610599d70397adfdaf56109ff3 SEASPY 15 BarracudaMailService 4b511567cfa8dbaa32e11baf3268f074 SEASPY 16 BarracudaMailService a08a99e5224e1baf569fda816c991045 SEASPY 17 BarracudaMailService 19ebfe05040a8508467f9415c8378f32 SEASPY 18 mod_udp.so 1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant 19 mod_udp.so 64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant 20 mod_udp.so 4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant Table 4: Endpoint IOCs Network IOCs Table 5 lists the network IOCs, including IP addresses and domain names, attributed to attacker activity during the investigation. Indicator ASN Location 1 xxl17z.dnslog.cn N/A N/A 2 mx01.bestfindthetruth.com N/A N/A 3 64.176.7.59 AS-CHOOPA US 4 64.176.4.234 AS-CHOOPA US 5 52.23.241.105 AMAZON-AES US 6 23.224.42.5 CloudRadium L.L.C US 7 192.74.254.229 PEG TECH INC US 8 192.74.226.142 PEG TECH INC US 9 155.94.160.72 QuadraNet Enterprises LLC US 10 139.84.227.9 AS-CHOOPA US 11 137.175.60.253 PEG TECH INC US 12 137.175.53.170 PEG TECH INC US 13 137.175.51.147 PEG TECH INC US 14 137.175.30.36 PEG TECH INC US 15 137.175.28.251 PEG TECH INC US 16 137.175.19.25 PEG TECH INC US 17 107.148.219.227 PEG TECH INC US 18 107.148.219.55 PEG TECH INC US 19 107.148.219.54 PEG TECH INC US 20 107.148.219.53 PEG TECH INC US 21 107.148.219.227 PEG TECH INC US 22 107.148.149.156 PEG TECH INC US 23 104.223.20.222 QuadraNet Enterprises LLC US 24 103.93.78.142 EDGENAP LTD JP 25 103.27.108.62 TOPWAY GLOBAL LIMITED HK Table 5: Network IOCs YARA Rules CVE-2023-2868 The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868: rule M_Hunting_Exploit_Archive_2 { meta: description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $b64_tmp = "/tmp/" base64 condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_tmp in (i * 512 .. i * 512 + 250) ) } rule M_Hunting_Exploit_Archive_3 { meta: description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $b64_openssl = "openssl" base64 condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_openssl in (i * 512 .. i * 512 + 250) ) } rule M_Hunting_Exploit_Archive_CVE_2023_2868 { meta: description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $qb = "'`" condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $qb at (@ustar[i] + 255) ) } SALTWATER The following three (3) YARA rule can be used to hunt for SALTWATER: rule M_Hunting_Linux_Funchook { strings: $f = "funchook_" $s1 = "Enter funchook_create()" $s2 = "Leave funchook_create() => %p" $s3 = "Enter funchook_prepare(%p, %p, %p)" $s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d" $s5 = "Enter funchook_install(%p, 0x%x)" $s6 = "Leave funchook_install() => %d" $s7 = "Enter funchook_uninstall(%p, 0x%x)" $s8 = "Leave funchook_uninstall() => %d" $s9 = "Enter funchook_destroy(%p)" $s10 = "Leave funchook_destroy() => %d" $s11 = "Could not modify already-installed funchook handle." $s12 = " change %s address from %p to %p" $s13 = " link_map addr=%p, name=%s" $s14 = " ELF type is neither ET_EXEC nor ET_DYN." $s15 = " not a valid ELF module %s." $s16 = "Failed to protect memory %p (size=%" $s17 = " protect memory %p (size=%" $s18 = "Failed to unprotect memory %p (size=%" $s19 = " unprotect memory %p (size=%" $s20 = "Failed to unprotect page %p (size=%" $s21 = " unprotect page %p (size=%" $s22 = "Failed to protect page %p (size=%" $s23 = " protect page %p (size=%" $s24 = "Failed to deallocate page %p (size=%" $s25 = " deallocate page %p (size=%" $s26 = " allocate page %p (size=%" $s27 = " try to allocate %p but %p (size=%" $s28 = " allocate page %p (size=%" $s29 = "Could not find a free region near %p" $s30 = " -- Use address %p or %p for function %p" condition: filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*)) } rule M_Hunting_Linux_SALTWATER_1 { strings: $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 } $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 } condition: filesize < 15MB and uint32(0) == 0x464c457f and any of them } rule M_Hunting_Linux_SALTWATER_2 { strings: $c1 = "TunnelArgs" $c2 = "DownloadChannel" $c3 = "UploadChannel" $c4 = "ProxyChannel" $c5 = "ShellChannel" $c6 = "MyWriteAll" $c7 = "MyReadAll" $c8 = "Connected2Vps" $c9 = "CheckRemoteIp" $c10 = "GetFileSize" $s1 = "[-] error: popen failed" $s2 = "/home/product/code/config/ssl_engine_cert.pem" $s3 = "libbindshell.so" condition: filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*)) } MAY 23RD, 2023: Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023. The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability. We took immediate steps to investigate this vulnerability. Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers. We will continue actively monitoring this situation, and we will be transparent in sharing details on what actions we are taking. Information gathering is ongoing as part of the investigation. We want to ensure we only share validated information with actionable steps for you to take. As we have information to share, we will provide updates via this product status page (https://status.barracuda.com) and direct outreach to impacted customers. Updates are also located on Barracuda’s Trust Center (https://www.barracuda.com/company/legal). Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take. Your trust is important to us. We thank you for your understanding and support as we work through this issue and sincerely apologize for any inconvenience it may cause. If you have any questions, please reach out to support@barracuda.com. Privacy Policy | Website Terms & Conditions © 2003 - 2023 Barracuda Networks, Inc. All rights reserved. * * * * * * Privacy Policy | Website Terms & Conditions © 2003 - 2023 Barracuda Networks, Inc. All rights reserved. * Legal Terms, Conditions and Warranties Site Map * Products * Solutions * Purchase * Support * Partners * Company * Glossary * Site Map Our Websites * Threat Intelligence * MSP Solutions Contact Us * Phone: +1 888 268 4772 * Contact Sales * Contact Support * Contact Legal * View More Connect * Facebook * Twitter * YouTube * LinkedIn * Instagram * Corporate Blog X $H2 $hl X HOW BARRACUDA USES COOKIES YOUR PRIVACY YOUR PRIVACY Barracuda Sites may request cookies to be set on your device. We use cookies to let us know when you visit our Barracuda Sites, to understand how you interact with us, to enrich and personalize your user experience, to enable social media functionality and to customize your relationship with Barracuda, including providing you with more relevant advertising. Note that blocking some types of cookies may impact your experience on our Barracuda Sites and the services we are able to offer. * STRICTLY NECESSARY COOKIES STRICTLY NECESSARY COOKIES Always Active Strictly Necessary Cookies These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. * ANALYTICS COOKIES ANALYTICS COOKIES Analytics Cookies These cookies help Barracuda to understand how visitors to our pages engage within their session. Analytics Cookies assist in generating reporting site usage statistics which do not personally identify individual users. * PERFORMANCE COOKIES PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. * TARGETING COOKIES TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not directly identify you, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. * FUNCTIONAL COOKIES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Back Button ADVERTISING COOKIES Filter Button Consent Leg.Interest Select All Vendors Select All Vendors Select All Hosts Select All * REPLACE-WITH-DYANMIC-HOST-ID 33ACROSS 33ACROSS View Third Party Cookies * Name cookie name * REPLACE-WITH-DYANMIC-VENDOR-ID 33ACROSS 3 Purposes View Privacy Notice 33ACROSS 3 Purposes View Privacy Notice REPLACE-WITH-DYANMIC-VENDOR-ID Consent Purposes Location Based Ads Consent Allowed Legitimate Interest Purposes Personalize Require Opt-Out Special Purposes Location Based Ads Features Location Based Ads Special Features Location Based Ads Clear Filters Information storage and access Apply Confirm My Choices COOKIE ACCEPTANCE We use cookies to make our website work. We and our partners would also like to set optional cookies for analytics purposes, as well as to measure and improve the performance of the website, and to remember your preferences and provide you enhanced functionality and personalization. Click on the Cookies Preferences button to find out more and set your preferences. Click on the Accept All button if you consent to the use of all such cookies. If you choose to allow the use of such cookies, you will be able to withdraw your consent at any time. Please refer to our Privacy Policy to better understand your rights.Privacy Policy Accept All Cookies Cookie Preferences