SpiderLabs Blog

Trustwave Action Response: Zero Day Vulnerability in Barracuda Email Security Gateway Appliance (ESG) (CVE-2023-2868) | Trustwave

Written by SpiderLabs Researcher | Jun 9, 2023 5:05:00 PM

On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. In subsequent days, Barracuda deployed a series of patches.

The earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. Barracuda also noted that malware was placed on a subset of vulnerable appliances to allow for persistence even if the vulnerability were patched. Additionally, evidence of data exfiltration was identified on a subset of impacted appliances. Because of this, on June 6, Barracuda updated its advisory, notifying customers to immediately replace ESG appliances regardless of patch version level. This issue is critical for every organization currently using the Barracuda Email Security Gateway Appliance.

Trustwave recommends giving this issue a high security priority to be addressed as soon as possible.

Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.

For any organizations concerned about a breach, Trustwave’s Digital Forensics and Incident Response (DFIR) team is on call and ready to support. For Barracuda ESG customers, please reference Barracuda’s advisory for recommendations on impacted customers.

Endpoint IOCs

  File Name   MD5 Hash Type
1 appcheck.sh N/A Bash script
2 aacore.sh N/A Bash script
3 1.sh N/A Bash script
4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8 SALTWATER Variant
5 intent N/A N/A
6 install_helo.tar 2ccb9759800154de817bf779a52d48f8 TAR Package
7 intent_helo f5ab04a920302931a8bd063f27b745cc Bash script
8 pd 177add288b289d43236d2dba33e65956 Reverse Shell
9 update_v31.sh 881b7846f8384c12c7481b23011d8e45 Bash script
10 mod_require_helo.lua cd2813f0260d63ad5adf0446253c2172 SEASIDE
11 BarracudaMailService 82eaf69de710abdc5dea7cd5cb56cf04 SEASPY
12 BarracudaMailService e80a85250263d58cc1a1dc39d6cf3942 SEASPY
13 BarracudaMailService 5d6cba7909980a7b424b133fbac634ac SEASPY
14 BarracudaMailService 1bbb32610599d70397adfdaf56109ff3 SEASPY
15 BarracudaMailService 4b511567cfa8dbaa32e11baf3268f074 SEASPY
16 BarracudaMailService a08a99e5224e1baf569fda816c991045 SEASPY
17 BarracudaMailService 19ebfe05040a8508467f9415c8378f32 SEASPY
18 mod_udp.so 1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant
19 mod_udp.so 64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant
20 mod_udp.so 4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant

 

Network IOCs

    Indicator ASN Location
1 xxl17z.dnslog.cn N/A N/A
2 mx01.bestfindthetruth.com N/A N/A
3 64.176.7.59 AS-CHOOPA US
4 64.176.4.234 AS-CHOOPA US
5 52.23.241.105 AMAZON-AES US
6 23.224.42.5 CloudRadium L.L.C US
7 192.74.254.229 PEG TECH INC US
8 192.74.226.142 PEG TECH INC US
9 155.94.160.72 QuadraNet Enterprises LLC US
10 139.84.227.9 AS-CHOOPA US
11 137.175.60.253 PEG TECH INC US
12 137.175.53.170 PEG TECH INC US
13 137.175.51.147 PEG TECH INC US
14 137.175.30.36 PEG TECH INC US
15 137.175.28.251 PEG TECH INC US
16 137.175.19.25 PEG TECH INC US
17 107.148.219.227 PEG TECH INC US
18 107.148.219.55 PEG TECH INC US
19 107.148.219.54 PEG TECH INC US
20 107.148.219.53 PEG TECH INC US
21 107.148.219.227 PEG TECH INC US
22 107.148.149.156 PEG TECH INC US
23 104.223.20.222 QuadraNet Enterprises LLC US
24 103.93.78.142 EDGENAP LTD JP
25 103.27.108.62 TOPWAY GLOBAL LIMITED HK
26 137.175.30.86 PEGTECHINC US
27 199.247.23.80 AS-CHOOPA DE
28 38.54.1.82 KAOPU CLOUD HK LIMITED SG
29 107.148.223.196 PEGTECHINC US
30 23.224.42.29 CNSERVERS US
31 137.175.53.17 PEGTECHINC US
32 103.146.179.101 GIGABITBANK GLOBAL HK

 

YARA Rules

CVE-2023-2868
The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868:
rule M_Hunting_Exploit_Archive_2
{
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}

SALTWATER

The following three (3) YARA rules can be used to hunt for SALTWATER:
rule M_Hunting_Linux_Funchook
{
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SALTWATER_1
{
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))
}

The following SNORT rule can be used to hunt for SEASPY magic packets:

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9; content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)

The following SNORT rules require Suricata 5.0.4 or newer and can be used to hunt for SEASPY magic packets:

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S; tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S; tcp.hdr; content:"|e6 30|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S; tcp.hdr; content:"|e6 32|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)