Alerts
Active Exploitation of Critical Vulnerability in Barracuda Networks' Email Security Gateway
28 December 2023
Barracuda Networks has released security updates addressing a critical vulnerability (CVE-2023-7102) in its Email Security Gateway (ESG) appliance. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10 and is reportedly being actively exploited.
Spreadsheet::ParseExcel is an open-source third-party library used by the Amavis virus scanner within the ESG appliance. Successful exploitation of the Arbitrary Code Execution (ACE) vulnerability within Spreadsheet::ParseExcel could allow a remote attacker to deploy SEASPY and SALTWATER malware via specially crafted email attachments in excel format.
The use of two malware code families SEASPY and SALTWATER are observed during the attacks. Threat actors leverage the malware to masquerade as legitimate Barracuda ESG modules and services as follows:
SEASPY: An x64 persistent backdoor masquerading as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25. SEASPY also supports backdoor functionality that is activated by a “magic packet”.
SALTWATER: A malware-laced module for the Barracuda Simple Mail Transfer Protocol (SMTP) daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
Possible host and network Indicators of Compromise (IOCs) associated with the active campaign are shown in the tables below. Network administrators are advised to configure their firewall rules to block connections to the following network IOCs associated with the campaign while reviewing any prior connections and scan for the presence of the host-based IOCs in their systems.
Critical vulnerabilities
File Name | File Hash | Description |
|---|---|---|
ads2.xls | 2b172fe3329260611a9022e71acdebca (MD5), 803cb5a7de1fe0067a9eeb220dfc24ca 56f3f571a986180e146b6cf387855bdd (SHA256) | XLS Document |
don.xls | e7842edc7868c8c5cf0480dd98bcfe76 (MD5), 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd (SHA256) | XLS Document |
personalbudget.xls | e7842edc7868c8c5cf0480dd98bcfe76 (MD5), 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd (SHA256) | XLS Document |
wifi-service | 7b83e4bd880bb9d7904e8f553c2736e3 (MD5), 118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7 (SHA256) | SEASPY malware |
mod_tll.so | d493aab1319f10c633f6d223da232a27 (MD5), 34494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8ba (SHA256) | SALTWATER malware |
Critical vulnerabilities
IP Addresses |
|---|
23.224.99[.]242 |
23.224.99[.]243 |
23.224.99[.]244 |
23.224.99[.]245 |
23.224.99[.]246 |
23.225.35[.]234 |
23.225.35[.]235 |
23.225.35[.]236 |
23.225.35[.]237 |
23.225.35[.]238 |
107.148.41[.]146 |
The vulnerability affects Barracuda ESG versions 5.1.3.001 through 9.2.1.001.
Barracuda has deployed the patches to remediate affected ESG appliances. As a precaution, users and administrators of affected products are advised to block connections to the network IOCs using a firewall, review for any communications with the network IOCS, and scan their systems for the presence of the host-based IOCs provided in the tables above.
More information is available here: