Critical Barracuda 0-day was used to backdoor networks for 8 months

A stylized skull and crossbones made out of ones and zeroes.

reader comments
2 with

A critical vulnerability patched 10 days ago in widely used email software from IT security company Barracuda Networks has been under active exploitation since October. The vulnerability has been used to install multiple pieces of malware inside large organization networks and steal data, Barracuda said Tuesday.

The software bug, tracked as CVE-2023-2868, is a remote command injection vulnerability that stems from incomplete input validation of user-supplied .tar files, which are used to pack or archive multiple files. When file names are formatted in a particular way, an attacker can execute system commands through the QX operator, a function in the Perl programming language that handles quotation marks. The vulnerability is present in the Barracuda Email Security Gateway versions through; Barracuda issued a patch 10 days ago.

On Tuesday, Barracuda notified customers that CVE-2023-2868 has been under active exploitation since October in attacks that allowed threat actors to install multiple pieces of malware for use in exfiltrating sensitive data out of infected networks.

“Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” Tuesday’s notice stated. “Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.”

su[email protected]) to validate if the appliance is up to date.

  • Discontinue the use of the compromised ESG appliance and contact Barracuda support ([email protected]) to obtain a new ESG virtual or hardware appliance.
  • Rotate any applicable credentials connected to the ESG appliance:
    o  Any connected LDAP/AD
    o  Barracuda Cloud Control
    o  FTP Server
    o  SMB
    o  Any private TLS certificates
  • Review your network logs for any of the [indicators of compromise] and any unknown IPs. Contact [email protected] if any are identified.
  • The Cybersecurity and Infrastructure Security Agency added CVE-2023-2868 to its list of known exploited vulnerabilities on Friday.

    Article Tags:
    Article Categories: