Barracuda, a company specializing in network and email security, has disclosed that a previously patched zero-day vulnerability was exploited for at least seven months. The vulnerability, known as CVE-2023-2868, allowed attackers to backdoor customers’ Email Security Gateway (ESG) appliances with custom malware and steal data.

According to Barracuda’s investigation, the bug was first exploited in October 2022, enabling the attackers to gain access to a subset of ESG appliances and implant backdoors to maintain persistent control over the compromised systems. Evidence suggests that the threat actors also extracted information from the compromised ESG appliances.

On May 19, Barracuda became aware of suspicious traffic from ESG appliances and engaged the services of cybersecurity firm Mandiant to assist with the investigation. They promptly identified the security flaw and released a security patch on May 20, which was applied to all ESG appliances. By deploying a dedicated script, the company successfully blocked the attackers’ access to the compromised devices on May 21.

Barracuda warned its customers on May 24 that their ESG appliances may have been breached through the now-patched zero-day vulnerability. Customers were advised to investigate their environments to ensure that the attackers had not moved laterally to other devices on their network. The company is currently deploying a series of security patches to all appliances as part of its containment strategy. Customers whose appliances were potentially impacted have been notified and contacted by Barracuda.

The Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-2868 flaw to its list of known exploited vulnerabilities as a precautionary measure, particularly for federal agencies utilizing ESG appliances, urging them to check their networks for signs of intrusion resulting from the compromise.

During the investigation, several previously unidentified malware strains were discovered. These strains were specifically designed to target compromised Email Security Gateway products. One of the malware strains, named Saltwater, is a trojanized Barracuda SMTP daemon module that grants attackers backdoor access to infected appliances. It allows the execution of commands, file transfer, and the proxying/tunneling of malicious traffic to evade detection.

Another malware strain called SeaSpy was deployed during the campaign. It provides persistence and can be activated using “magic packets.” SeaSpy monitors port 25 (SMTP) traffic and shares similarities with the publicly available cd00r passive backdoor.

The threat actors also utilized a malicious module called SeaSide, which is a bsmtpd module. SeaSide establishes reverse shells through SMTP HELO/EHLO commands sent via the malware’s command-and-control (C2) server.

Barracuda advises its customers to ensure that their ESG appliances are up-to-date, cease using compromised appliances, request new virtual or hardware appliances, change all credentials associated with the compromised appliances, and review their network logs for indicators of compromise (IOCs) provided by the company. These steps are crucial to mitigating the potential impact of the breach.

Barracuda’s products are utilized by more than 200,000 organizations, including prominent companies such as Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz.