Barracuda customers still using the vendor’s vulnerability-plagued Email Security Gateway (ESG) should remove the appliance from operation immediately, the FBI has warned.
A large number of the appliances around the world were hit in a zero-day attack discovered in May and subsequently attributed to a previously unknown threat group, dubbed UNC4841 by Mandiant, suspected of being linked to China.
Barracuda issued patches for the critical remote command injection vulnerability (CVE-2023-2868) and also took the unusual step of telling customers it would replace any appliances that had been compromised.
The FBI’s Cyber Division upped those stakes even further on Wednesday, saying in a flash advisory (PDF) that “Barracuda customers should remove all ESG appliances immediately” because “the patches released by Barracuda in response to this CVE were ineffective.”
The bureau said it had “independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC (People’s Republic of China) cyber actors exploiting this vulnerability.”
UNC4841 is known to have exfiltrated data from at least some of the compromised systems, with an emphasis on the public sector. In June Barracuda said about half the compromised appliances were in the United States. Perhaps explaining the forcefulness of the FBI’s warning, almost a third of known victims of the attacks were government agencies.
“The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit,” the advisory stated.
Earlier this month the Cybersecurity and Infrastructure Security Agency (CISA) published details of a new backdoor malware called Whirlpool, the third novel backdoor variant associated with the vulnerability.
The ESG vulnerability allows adversaries to send an email containing a malicious attachment to a target organization. When the attachment was scanned by the ESG it would initiate a connection to a domain or IP address controlled by the threat actors. A reverse shell would then be established, allowing further remote commands to be executed on the ESG.
In addition to data exfiltration, the exploitation allowed UNC4841 to carry out email scanning credential harvesting, and gain persistent access to victims’ systems.
The FBI listed seven domains and 61 IP addresses as indicators of compromise. The bureau said the threat actors used “counter-forensic techniques” to hide their movements on compromised systems, making it difficult for security teams to detect a breach simply by scanning the appliance for IOCs.
“As a result, it is imperative that networks scan various network logs for connections to any of the listed indicators,” the advisory said.
Krebs on Security founder Brian Krebs summed up the situation in a succinct Mastodon post.
“The FBI says it continues to see Barracuda email security gateway devices actively compromised via the flaw that caused Barracuda in June 2023 to offer to replace (not patch) a broad range of its ESG devices,” Krebs posted. “The FBI confirms Mandiant's China attribution, and says just unplug the damn things already.”