IB-Company Barracuda Networks has reported that a critical vulnerability in the Email Security Gateway (ESG) gateway, which was recently corrected, has been used by attackers since October 2022 to hack devices. The vulnerability, known as CVE-2023-2868 with CVSS score of 9.4, was actively exploited for at least seven months before its discovery, allowing unauthorized access to a subset of ESG and theft of data from them.
The vulnerability affects the versions from 5.1.3.001 to 9.2.0.006 and can allow a remote attacker to execute code on vulnerable devices. Corrections for the vulnerability were issued by Barracuda on May 20 and 21, 2023.
Three different malware strains were found to be used in the attacks, including “Saltwater”, a Trojan Module for the SMTP Barracuda (BSMTPD) demon, designed to download and download arbitrary files, execute commands, as well as creating a proxy server and tunneling traffic so that it remains unnoticed. Among the strains are “Seaspy”, an ELF-Backdor X64, offering the possibilities of preservation and activation using Magic Packet, and “Seaside”, a module that sets reverse sluts using the HELO/EHLO SMTP teams sent via C2-server.
The incident is being investigated by Mandiant, which has discovered the coincidence of source code between Seaspy and an open source called CD00R. However, the attacks have not yet been attributed to any specific hacker group.
Barracuda Networks urged its customers to ensure that their systems are updated with the latest security patches to prevent any potential breach.