Trustwave Action Response: Zero Day Vulnerability in Barracuda Email Security Gateway Appliance (ESG) (CVE-2023-2868)
June 09, 2023
5 minutes read
SpiderLabs Researcher
On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. In subsequent days, Barracuda deployed a series of patches.
The earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. Barracuda also noted that malware was placed on a subset of vulnerable appliances to allow for persistence even if the vulnerability were patched. Additionally, evidence of data exfiltration was identified on a subset of impacted appliances. Because of this, on June 6, Barracuda updated its advisory, notifying customers to immediately replace ESG appliances regardless of patch version level. This issue is critical for every organization currently using the Barracuda Email Security Gateway Appliance.
Trustwave recommends giving this issue a high security priority to be addressed as soon as possible.
Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.
For any organizations concerned about a breach, Trustwave’s Digital Forensics and Incident Response (DFIR) team is on call and ready to support. For Barracuda ESG customers, please reference Barracuda’s advisory for recommendations on impacted customers.
Endpoint IOCs
File Name
MD5 Hash
Type
1
appcheck.sh
N/A
Bash script
2
aacore.sh
N/A
Bash script
3
1.sh
N/A
Bash script
4
mod_udp.so
827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant
5
intent
N/A
N/A
6
install_helo.tar
2ccb9759800154de817bf779a52d48f8
TAR Package
7
intent_helo
f5ab04a920302931a8bd063f27b745cc
Bash script
8
pd
177add288b289d43236d2dba33e65956
Reverse Shell
9
update_v31.sh
881b7846f8384c12c7481b23011d8e45
Bash script
10
mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172
SEASIDE
11
BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04
SEASPY
12
BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942
SEASPY
13
BarracudaMailService
5d6cba7909980a7b424b133fbac634ac
SEASPY
14
BarracudaMailService
1bbb32610599d70397adfdaf56109ff3
SEASPY
15
BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074
SEASPY
16
BarracudaMailService
a08a99e5224e1baf569fda816c991045
SEASPY
17
BarracudaMailService
19ebfe05040a8508467f9415c8378f32
SEASPY
18
mod_udp.so
1fea55b7c9d13d822a64b2370d015da7
SALTWATER Variant
19
mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e
SALTWATER Variant
20
mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643
SALTWATER Variant
Network IOCs
Indicator
ASN
Location
1
xxl17z.dnslog.cn
N/A
N/A
2
mx01.bestfindthetruth.com
N/A
N/A
3
64.176.7.59
AS-CHOOPA
US
4
64.176.4.234
AS-CHOOPA
US
5
52.23.241.105
AMAZON-AES
US
6
23.224.42.5
CloudRadium L.L.C
US
7
192.74.254.229
PEG TECH INC
US
8
192.74.226.142
PEG TECH INC
US
9
155.94.160.72
QuadraNet Enterprises LLC
US
10
139.84.227.9
AS-CHOOPA
US
11
137.175.60.253
PEG TECH INC
US
12
137.175.53.170
PEG TECH INC
US
13
137.175.51.147
PEG TECH INC
US
14
137.175.30.36
PEG TECH INC
US
15
137.175.28.251
PEG TECH INC
US
16
137.175.19.25
PEG TECH INC
US
17
107.148.219.227
PEG TECH INC
US
18
107.148.219.55
PEG TECH INC
US
19
107.148.219.54
PEG TECH INC
US
20
107.148.219.53
PEG TECH INC
US
21
107.148.219.227
PEG TECH INC
US
22
107.148.149.156
PEG TECH INC
US
23
104.223.20.222
QuadraNet Enterprises LLC
US
24
103.93.78.142
EDGENAP LTD
JP
25
103.27.108.62
TOPWAY GLOBAL LIMITED
HK
26
137.175.30.86
PEGTECHINC
US
27
199.247.23.80
AS-CHOOPA
DE
28
38.54.1.82
KAOPU CLOUD HK LIMITED
SG
29
107.148.223.196
PEGTECHINC
US
30
23.224.42.29
CNSERVERS
US
31
137.175.53.17
PEGTECHINC
US
32
103.146.179.101
GIGABITBANK GLOBAL
HK
YARA Rules
CVE-2023-2868 The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868: rule M_Hunting_Exploit_Archive_2 { meta: description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $b64_tmp = "/tmp/" base64 condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_tmp in (i * 512 .. i * 512 + 250) ) } rule M_Hunting_Exploit_Archive_3 { meta: description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $b64_openssl = "openssl" base64 condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_openssl in (i * 512 .. i * 512 + 250) ) } rule M_Hunting_Exploit_Archive_CVE_2023_2868 { meta: description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868" date_created = "2023-05-26" date_modified = "2023-05-26" md5 = "0d67f50a0bf7a3a017784146ac41ada0" version = "1.0" strings: $ustar = { 75 73 74 61 72 } $qb = "'`" condition: filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $qb at (@ustar[i] + 255) ) }
SALTWATER
The following three (3) YARA rules can be used to hunt for SALTWATER: rule M_Hunting_Linux_Funchook { strings: $f = "funchook_" $s1 = "Enter funchook_create()" $s2 = "Leave funchook_create() => %p" $s3 = "Enter funchook_prepare(%p, %p, %p)" $s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d" $s5 = "Enter funchook_install(%p, 0x%x)" $s6 = "Leave funchook_install() => %d" $s7 = "Enter funchook_uninstall(%p, 0x%x)" $s8 = "Leave funchook_uninstall() => %d" $s9 = "Enter funchook_destroy(%p)" $s10 = "Leave funchook_destroy() => %d" $s11 = "Could not modify already-installed funchook handle." $s12 = " change %s address from %p to %p" $s13 = " link_map addr=%p, name=%s" $s14 = " ELF type is neither ET_EXEC nor ET_DYN." $s15 = " not a valid ELF module %s." $s16 = "Failed to protect memory %p (size=%" $s17 = " protect memory %p (size=%" $s18 = "Failed to unprotect memory %p (size=%" $s19 = " unprotect memory %p (size=%" $s20 = "Failed to unprotect page %p (size=%" $s21 = " unprotect page %p (size=%" $s22 = "Failed to protect page %p (size=%" $s23 = " protect page %p (size=%" $s24 = "Failed to deallocate page %p (size=%" $s25 = " deallocate page %p (size=%" $s26 = " allocate page %p (size=%" $s27 = " try to allocate %p but %p (size=%" $s28 = " allocate page %p (size=%" $s29 = "Could not find a free region near %p" $s30 = " -- Use address %p or %p for function %p" condition: filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*)) } rule M_Hunting_Linux_SALTWATER_1 { strings: $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 } $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 } condition: filesize < 15MB and uint32(0) == 0x464c457f and any of them } rule M_Hunting_Linux_SALTWATER_2 { strings: $c1 = "TunnelArgs" $c2 = "DownloadChannel" $c3 = "UploadChannel" $c4 = "ProxyChannel" $c5 = "ShellChannel" $c6 = "MyWriteAll" $c7 = "MyReadAll" $c8 = "Connected2Vps" $c9 = "CheckRemoteIp" $c10 = "GetFileSize" $s1 = "[-] error: popen failed" $s2 = "/home/product/code/config/ssl_engine_cert.pem" $s3 = "libbindshell.so" condition: filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*)) }
The following SNORT rule can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9; content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)
The following SNORT rules require Suricata 5.0.4 or newer and can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S; tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S; tcp.hdr; content:"|e6 30|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S; tcp.hdr; content:"|e6 32|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)
Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...