A critical vulnerability discovered in Barracuda Networks devices may have been actively exploited for seven months, the company has revealed.
The security firm said the flaw, which was first discovered in May, affected its Email Security Gateway (ESG) appliance and was patched after an initial investigation.
This week, however, analysis of the vulnerability revealed it had been actively exploited for several months before the patch was issued.
Barracuda Networks said the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022”.
In its advisory, the firm said the vulnerability stemmed from “incomplete input validation” of user-supplied .tar files.
RELATED RESOURCE
Quantifying the public vulnerability market: 2022 edition
An analysis of vulnerability disclosures, impact severity, and product analysis
DOWNLOAD FOR FREE
The flaw meant that a remote attacker could format file names in a deliberate manner to remotely execute a system command through Perl’s gx operator.
The investigation also revealed that a third party exploited this to gain unauthorized access to a subset of ESG appliances.
“Barracuda's investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances,” the firm said in its advisory.
Malware was identified on this subset of appliances, Barracuda revealed, which would allow for persistent backdoor access. In addition, the company said it uncovered evidence of data exfiltration on impacted appliances.
Two specific malware strains were highlighted by Barracuda during a post-mortem analysis of the incident. This included SALTWATER, a trojanized module for the Barracuda SMTP daemon that contains backdoor functionality.
SALTWATER enables threat actors to upload or download arbitrary files and execute commands, as well as proxy and tunneling capabilities, Barracuda said.
Another type of malware, known as SEASPY, was also identified during the probe led by Barracuda and Mandiant. SEASPY contains backdoor functionality that is activated by a ‘magic pocket’, according to researchers.
“SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP),” the firm said.
Barracuda engaging with affected customers
Barracuda insisted that no other products were affected by the vulnerability, including its SaaS email security services.
The company added that customers potentially impacted by the incident have been notified via the ESG user interface, and the company has reached out to specific customers directly.
Barracuda has around 200,000 customers globally. However, the exact number of those affected by the vulnerability has yet to be determined.
ITPro approached Barracuda for comment on the matter, but hadn’t received a response at the time of publication.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to successNews Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
T-Mobile security chief insists its defenses stood up to attacks linked to Salt TyphoonNews No T-Mobile customers or services were affected after its security teams detected suspicious activity on their routers
-
Securing your network in every direction with zero trustWhitepaper Webinar on the evolution of network security
-
Turning your log and incident data into real-time security insightsWhitepaper Integrate multiple data sources for a comprehensive security view
-
Do more with less: Optimizing servers with HPE to maximize VMware licensingWhitepaper Your trusted guide through the changes in the virtualization market
