FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

Cyber Security Threat Summary:
The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions to, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.

The attackers, UNC4841, have capitalized on the compromised ESG appliances to deploy various malware types, granting them email scanning capabilities, credential theft, data exfiltration, and persistent access. Additionally, the compromised appliances have facilitated lateral movement within victim networks and the transmission of malicious emails to other appliances. UNC4841 has demonstrated adaptability and sophistication by deploying novel malware to high-priority targets post-remediation of CVE-2023-2868.

Suggested Correction(s):

To address this ongoing threat, the FBI provides the following mitigation guidance:

  • Isolate and Replace: It is strongly recommended that all affected Barracuda ESG appliances be isolated and replaced promptly. This action is advised regardless of the application of patches, as the FBI considers all impacted appliances to be compromised and susceptible to this exploit.
  • Scan for Indicators of Compromise (IoCs): Perform comprehensive scans for IoCs. However, solely scanning the appliance may not fully identify potential intrusions.
  • Scan Outgoing Connections: Extend scans to detect any suspicious outgoing connections originating from compromised appliances, as these could indicate unauthorized or malicious activity.
  • Review Email Logs: Carefully review email logs to identify any unusual or unauthorized email activities that may signal compromise.
  • Rotate Credentials: Enhance security by rotating and updating all credentials linked to the affected appliances to thwart unauthorized access.
  • Revoke and Reissue Certificates: Prevent misuse by revoking and reissuing any certificates associated with compromised appliances.
  • Monitor Network Activity: Vigilantly monitor the entire network for any signs of abnormal or irregular activity that might suggest unauthorized access or malevolent actions.
  • Network Logs: Scrutinize network logs for potential signs of suspicious activity or anomalies connected to the compromise.
  • This incident underscores the critical importance of prompt vulnerability response and continuous security assessment. Organizations are urged to take immediate steps to counteract and mitigate the impact of such vulnerabilities, preventing further compromise and potential data breaches.