As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability. For more details regarding malware found to date related to this exploit and learn more about Barracuda backdoors, please visit CISA Releases Malware Analysis Reports on Barracuda Backdoors. The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately. https://go.fbinet.fbi/news/Pages/Bringing-Private-Sector-to-the-Fight-Against-CyberAdversaries.aspx
CVE-2023-2868 is a remote command injection vulnerability that allows for unauthorized execution of system commands with administrator privileges on the ESG product. This vulnerability is present in the Barracuda ESG (appliance form factor only) versions 5.1.3.001- 9.2.0.006, and relates to a process that occurs when the appliance screens email attachments. The vulnerability allows cyber actors to format TAR file attachments in a particular manner and send them to an email address affiliated with a domain that has an ESG appliance connected to it. The malicious file’s formatting, when scanned, results in a command injection into the ESG that leads to system commands being executed with the privileges of the ESG. As the vulnerability exists in the scanning process, emails only need to be received by the ESG to trigger the vulnerability.
The earliest evidence of exploitation of Barracuda ESG appliances was observed in October 2022. Initially, suspected PRC cyber actors sent emails to victims containing TAR file attachments designed to exploit the vulnerability. In the earliest emails, attached files had a “.tar” extension in the filename, while later emails included different file extensions such as “.jpg” or “.dat”. The malicious email attachments contained files that initiated a connection to a domain or IP address controlled by the cyber actors and established a reverse shell at that domain or IP address, allowing the actors to execute further commands on the ESG device.
After the suspected PRC cyber actors compromised the device, they were observed dropping various malicious payloads into the vulnerable machines and aggressively targeted specific data for exfiltration. In some cases, the actors used initial access to the ESG appliance as an entry point to the rest of the victim’s network or sent emails to other victim appliances. The cyber actors used additional tools to maintain long-term, persistent access to the ESG appliances.
Based on the FBI’s investigation to date, the cyber actors exploited this vulnerability in a significant number of ESG appliances and injected multiple malicious payloads that enabled persistent access, email scanning, credential harvesting, and data exfiltration. In many cases, the cyber actors obfuscated their actions with counter-forensic techniques, making detection of compromise difficult through only scanning the appliance itself for indicators of compromise. As a result, it is imperative that networks scan various network logs for connections to any of the listed indicators.
