Advanced persistent threat (APT) attacks targeting a former zero-day remote command injection vulnerability in Barracuda email security gateway (ESG) appliances have been detected by the US cybersecurity and infrastructure security agency (CISA).
The vulnerability, according to a CISA alert, was used to plant malware payloads of Seapsy and Whirlpool backdoors on the compromised devices.
While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.
“CISA obtained four malware samples — including Seapsy and Whirlpool backdoors,” the CISA alert said. “The device was compromised by threat actors exploiting the Barracuda ESG vulnerability.”
Tracked as CVE-2023-2868, the vulnerability allows remote command execution on ESG appliances running versions 5.1.3.001 to 9.2.0.006.
A long list of Barracuda offenders
While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.
Whirlpool was identified as a 32-bit executable and linkable format (ELF) that takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell.
A TLC reverse shell is a method used in cyberattacks to establish a secure communication channel between a compromised system and an attacker-controlled server.
The module that passes the two arguments was not available for CISA analysis.
Apart from Seapsy and Whirlpool, a few other strains of backdooring in Barracuda ESG exploits include Saltwater, Submarine, and Seaside.
CVE-2023-2868 plaguing Barracuda for long
The ESG vulnerability has been a Barracuda nightmare as it found exploits at exponential rates since the zero-day vulnerability identified in October 2022. The company formally reported identifying the vulnerability in May this year and then subsequently dropped patches in the same month.
Days later, however, the company warned its customers to replace vulnerable appliances (version 5.1.3.001 to 9.2.0.006) even if they were patched. Months later, CISA still finds evidence of ongoing exploits and it remains to be seen what Barracuda does to put an end to this issue.
Malware, Vulnerabilities