A critical Barracuda security backdoor has been exploited for months, so patch now

data privacy
(Image credit: Shutterstock / Zeeker2526)

Hackers have been exploiting a zero-day vulnerability in a Barracuda Networks product over several months to target countless organizations with numerous pieces of malware, reports have claimed.

The company said it has patched a critical vulnerability tracked as CVE-2023-2868, which had been used by threat actors since October 2022. The email software in question is called Barracuda Email Security Gateway (ESG), with versions between and being vulnerable.

“Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” the company said in a security advisory. “Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.”

Three malware families

So far, Barracuda says it has spotted three malware families being distributed via the zero-day: Saltwater, Seaside, and Seaspy. 

The former allows threat actors to download and upload files, and run commands, among other things. Seaside is a persistence backdoor, while the latter is used to receive a C2 IP address and port to establish a reverse shell. 

To make sure your organization is safe, you should do the following: 

  • Update your ESG appliance, and make sure it is regularly patched
  • Stop using the compromised ESG appliance
  • Rotate ESG appliance credentials where possible, including any connected LDAP/AD, Barracuda Cloud Control, FTP Server, SMB, and any private TLS certificates. 
  • The company also invites all clients who believe they may have been targeted, to reach out to support via support@barracuda.com.

Finally, organizations should review their network logs and look for possible indicators of compromise or unknown IP addresses. 

According to the National Vulnerability Database, the flaw is a remote command injection vulnerability arising as the appliance fails to comprehensively sanitize the processing of .tar files (tape archives). In other words, formatting file names in a specific way allows the attackers to execute system commands. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.