In today's interconnected world, email security is paramount for businesses of all sizes. However, even the most robust systems can sometimes fall prey to vulnerabilities that leave organisations exposed to potential cyber threats.
Imagine a scenario where unauthorised individuals gain access to sensitive information stored within your email gateway appliances, putting your business and your clients' trust at risk. Barracuda Networks, a renowned provider of email security solutions, recently discovered a vulnerability in their Email Security Gateway (ESG) appliance. This vulnerability, known as CVE-2023-2868, has the potential to impact organisations by allowing unauthorised access to a subset of email gateway appliances.
In this blog post, we'll delve into the potential impact of this vulnerability, the exploitation methods employed by attackers, and most importantly, the practical steps you can take to protect your business from this significant threat.
What is Email Security Gateway (ESG)?
An Email Security Gateway (ESG) appliance is a specialised hardware or software solution designed to enhance the security of email communications within an organisation. The primary purpose of an ESG appliance is to detect and prevent various email-based threats, including spam emails, phishing attacks, malware attachments, and malicious links. It acts as a gatekeeper or filter that monitors incoming and outgoing email traffic, analysing it for potential threats and applying various security measures to protect against malicious activities.
ESG appliances are typically deployed at the network perimeter or within the organisations infrastructure to intercept and inspect email messages. They employ a range of security mechanisms such as anti-spam filtering, anti-malware scanning, content filtering, data loss prevention (DLP), encryption, and authentication controls to ensure the integrity, confidentiality, and availability of email communications. These appliances are an integral part of an organisations email security infrastructure, working alongside other security solutions and best practices to create a layered defence approach against email threats.
What Happened?
A vulnerability, known as CVE-2023-2868 was identified in Barracuda's Email Security Gateway (ESG) appliance on May 19, 2023, allowing unauthorised access to a subset of email gateway appliances.
Understanding the severity of this vulnerability, Barracuda Networks acted swiftly to address the issue. They released security patches promptly and provided detailed instructions to impacted users on how to implement the necessary fixes. However, ongoing investigations and monitoring efforts are still underway as Barracuda continues to gather crucial information about the extent and impact of the vulnerability. Regular updates are being communicated through various channels to keep users informed and protected.
While the exact severity of CVE-2023-2868 is still being determined, its inclusion in the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog underscores its significance.
In-depth investigations into the matter have revealed that exploitation of this vulnerability traces back to October 2022. A third party took advantage of this vulnerability to gain unauthorised access to a specific set of ESG appliances. Subsequently, it was discovered that some of the impacted appliances harboured the SALTWATER malware, which allows for persistent backdoor access. Additionally, a subset of appliances was found to be infected with the SEASPY malware, cunningly disguising itself as a legitimate Barracuda Networks service. Both malwares possess dangerous capabilities, including executing commands, uploading and downloading files, and establishing reverse shells. These malicious activities expose the affected systems to significant risks.
Another component of the malware, SEASIDE, was also identified on the compromised appliances. This component actively monitors specific commands in email communication, facilitating a connection to an attacker-controlled server, thereby granting remote control over the compromised appliances.
Why Should I Care?
The primary impact of CVE-2023-2868 is the unauthorised access to a subset of email gateway appliances. Email is a primary method of communication for both personal and business purposes, and it often contains sensitive information such as personal data, financial details, intellectual property, and confidential business communications. Imagine a scenario where attackers gain entry to your email security system without proper authorisation. Once inside, they could potentially manipulate or access sensitive information stored within those appliances. This creates a significant risk of data breaches and unauthorised disclosure of sensitive information.
It's important to note that the extent of the impact may vary based on factors such as the specific configuration and usage of the affected appliances in each organisation.
However, as recently disclosed by Barracuda, this vulnerability and associated malware have been active since October 2022, but were only discovered months later, this can have several implications and potential impacts:
Extended Period of Unauthorised Access - The longer an attacker has access, the more damage they can potentially cause.
Data Exfiltration - The longer the unauthorised access went unnoticed, the more data could have been exfiltrated, potentially leading to significant financial, reputational, and legal consequences for the affected organisations.
Persistent Backdoor Access - With the presence of the SALTWATER backdoor, even after the initial exploitation, attackers could maintain ongoing access and control over the compromised systems.
Undetected Malware Presence - The fact that the SEASPY malware, disguised as a legitimate Barracuda Networks service, and potentially other malwares like SEASIDE, went undetected for an extended period raises concerns
Potential Wider Impact - While the investigation focused on a subset of ESG appliances, there is a possibility that additional impacted customers may be identified as the investigation progresses.
What Can I Do?
Mitigating the risk posed by this vulnerability should be a top priority for organisations. To protect your email security, consider the following steps:
Apply Security Patches
Discontinue Use of Compromised Appliances
Rotate Credentials - this includes credentials associated with connected LDAP/AD, Barracuda Cloud Control, FTP server, SMB, and any private TLS certificates.
Review Network Logs and Indicators of Compromise (IOCs) - to support customers in the investigations of their environments, Barracuda has provided a list of all Endpoint and Network IOCs, including IP addresses, domain names, malware and utilities attributed to attackers activity during their investigations.
Implement YARA Rules - Barracuda has also developed a series of YARA rules, which can be used by organisations to hunt for SALTWATER as well as the malicious TAR file which exploits CVE-2023-2868.
Enhance Security Measures -strengthen your overall security posture by implementing additional security measures, such as multi-factor authentication
Stay Informed and Follow Updates: continuously monitor updates and communications from Barracuda Networks regarding the ongoing investigation and any further remediation steps.
Keep your organisation ahead of threats with Cytidel Threat Intelligence
To find out more about Cytidel’s threat intelligence offering, visit
Stay safe and secure!
The Cytidel Threat Intelligence Team
Comments