FBI warns of patched Barracuda ESG appliances still being hacked

The Federal Bureau of Investigation warned that patches for a critical Barracuda Email Security Gateway (ESG) remote command injection flaw are "ineffective," and patched appliances are still being compromised in ongoing attacks.

Tracked as CVE-2023-2868, the vulnerability was first exploited in October 2022 to backdoor ESG appliances and steal data from the compromised systems.

The attackers deployed previously unknown malware, SeaSpy and Saltwater, and a malicious tool, SeaSide, to establish reverse shells for remote access.

CISA has since shared further details about Submariner and Whirlpool malware that was deployed in the same attacks. The U.S. cybersecurity agency also added the bug to its catalog of bugs actively exploited in the wild on May 27, warning federal agencies to check their networks for evidence of breaches.

Even though the Barracuda patched all appliances remotely and blocked the attackers' access to the breached devices on May 20, one day after the bug was identified, it also warned all customers on June 7 that they must replace all impacted appliances immediately, likely because it couldn't ensure the complete removal of malware deployed in the attacks.

Mandiant later linked the data-theft campaign targeting Barracuda ESG appliances using CVE-2023-2868 exploits to the UNC4841 threat group, described as a suspected pro-China hacking group.

FBI also warns Barracuda customers to replace appliances

The FBI now reinforced Barracuda's warning to customers that they should isolate and replace hacked appliances urgently, saying that the Chinese hackers are still actively exploiting the vulnerability and even patched devices are at risk of compromise because of "ineffective" patches.

"The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately," the federal law enforcement agency warned [PDF] in a flash alert issued on Wednesday.

"The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.

"The FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability."

Furthermore, the agency advised Barracuda customers to investigate their networks for potential additional breaches by scanning for outbound connections to IPs in the list of indicators of compromise (IOCs) shared in the advisory.

Those who used enterprise-privileged credentials with their Barracuda appliances (e.g., Active Directory Domain Admin) were also urged to revoke and rotate them to thwart the attackers' attempts to maintain network persistence.

Barracuda says its security products are being used by over 200,000 organizations worldwide, including high-profile companies like Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz.