CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances

最后更新于2023年8月10日星期四21:41:04 GMT

Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks 电子邮件 Security Gateway (ESG) appliances dating back to at least November 2022. 截至2023年6月6日，作为正在进行的 产品事件响应Barracuda正在敦促ESG客户这样做 immediately decommission 和 replace ALL impacted ESG physical appliances irrespective of patch level. Barracuda已经表明了这一点 impacted ESG customers will see a notification in their user interface (UI). Customers who have not replaced their appliances after receiving this UI notice should contact Barracuda support: support@梭鱼.com.

Background

5月18日和19日, 2023, Barracuda discovered anomalous traffic originating from their 电子邮件 Security Gateway (ESG) appliances. Barracuda ESG is a solution for filtering inbound 和 outbound email 和 protecting customer data. ESG可以部署为物理设备或虚拟设备, or in a public cloud environment on AWS or Microsoft Azure.

5月30日，Barracuda 披露cve - 2023 - 2868, a remote comm和 injection vulnerability that the firm said had been exploited in the wild by threat actors since at least October 2022 across a subset of devices running versions 5.1.3.001-9.2.0.006. 根据安全公告, the vulnerability exists in a module that performs initial screens on attachments of incoming emails. Barracuda已经表明了这一点, 截至6月6日, 无其他产品, 包括SaaS电子邮件安全服务, 是否已知受到影响.

The company indicated they had pushed patches to their global ESG customer base on May 20, 2023. 5月21日, Barracuda deployed an additional script to “contain the incident 和 counter unauthorized access methods.“然而, 6月6日, the company updated their 咨询 to warn customers that impacted devices should be completely replaced, 无论固件版本或补丁级别如何.

The pivot from patch to total replacement of affected devices is fairly stunning 和 implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access. Barracuda has a full description 事件的经过 so far in their 咨询，包括广泛的 妥协指标, 其他漏洞详细信息, 和 information on the backdoored module for Barracuda’s SMTP daemon.

2023年6月15日，M和iant 发表深度分析 事件的经过, which they are attributing to an "aggressive 和 skilled actor" with suspected links to China, 编号un4841. 根据分析, Barracuda ESG devices were exploited "as a vector for espionage" in an extensive threat campaign dating back to at least October 10, 2022. 在最初的妥协之后, "M和iant 和 Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, 在某些情况下, leverage access to an ESG appliance to conduct lateral movement into the victim network, 或者向其他受害设备发送邮件. M和iant has also observed UNC4841 deploy additional tooling to maintain presence on ESG appliances.“我们鼓励安全团队这样做 阅读完整的分析.

在已知ESG设备上建立基线, which runs the "Barracuda Networks Spam Firewall" SMTP daemon, 大概有11个,在互联网上出售的000个电器(Barracuda Networks垃圾邮件防火墙smtpd)，截至6月8日. Notably, if other Barracuda appliances also run this service, that number may be inflated.

观察到的攻击者行为

Rapid7 services teams have so far identified malicious activity that took place as far back as November 2022, with the most recent communication with threat actor infrastructure observed in May 2023. In at least one case, outbound network traffic indicated potential data exfiltration. We have not yet observed any lateral movement from a compromised appliance.

注意: Although sharing malware indicators like hashes 和 YARA hunting rules can be very useful, in this case they may not be as relevant unless teams have direct access to the operating system of the appliance or VMDK image. Network indicators like the IP addresses shared by Barracuda 和 also observed by Rapid services teams are a good start for reviewing network logs (e.g.(防火墙或IPS日志).

缓解指导

Customers who use the impacted Barracuda ESG appliance should 立即将设备脱机 然后替换它. For physical device users, this means completely replacing hardware. Barracuda’s 咨询 has instructions for contacting support (support@梭鱼.com). Users are also being advised to rotate any credentials connected to the ESG appliance, including:

• 任何连接的LDAP/AD
• 梭鱼云控制
• FTP服务器
• SMB
• 任何私有TLS证书

ESG appliance users should check for signs of compromise dating back to at least October 2022 using the network 和 endpoint indicators Barracuda has released publicly (where possible): http://www.barracuda.com/company/legal/esg-vulnerability

If you have questions about next steps or impact to your organization, 请联系梭鱼支持.

更新

2023年6月15日: 更新了M和iant的 深入分析 CVE-2023-2868和UNC4841.