View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 24, 2023updated 25 Aug 2023 10:31am

Compromised Barracuda Network services ‘remain at risk’ despite patches, warns FBI

The US law enforcement agency warned that a vulnerability in the firm's ESG appliances is being exploited by China-based hackers.

By Claudia Glover

The FBI has released a warning that services provided by IT vendor Barracuda Networks remain at risk of being attacked by cybercriminals working for the People’s Republic of China, despite patches being released by the company in May. Barracuda boasts high-profile clients such as Kraft Heinz and NHS Scotland. 

The exploit, tracked as CVE-2023-2868, is a vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances. The FBI flash alert urges the immediate removal of such appliances from any customer network.

Barracuda Network
Barracuda ESG appliances need to be removed despite patches. (Photo by Shane Gross/Shutterstock)

The exploit has been attacked in the wild since as early as October 2022, according to a report by security company Mandiant, which was only called in to assist in the investigation of the Barracuda ESG attacks in May of this year. The FBI described the vulnerability as a ‘zero day,’ a term referring to a bug with no patch and one that is, therefore, highly prized by cybercriminals.

Mandiant explained at the time that it had “identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to use as a vector for espionage.” As such, any Barracuda client using the ESG appliances may be spied upon by China-based cybercriminals, who are suspected by the FBI to be working for the Chinese government.

Barracuda Networks claims its services are used by over 200,000 organisations across the globe, including companies like Mitsubishi, Samsung, Kraft Heinz and Delta Airlines. UK clients include public sector customers like NHS Scotland as well as elements of critical national infrastructure, such as the independent oil and gas company the Parkmead Group.

Patches for the vulnerability were released by Barracuda Networks on 19 and 23 May. However, criminals worked around them to continue to intrude into the victim company’s network. On 31 May, Barracuda advised its customers to isolate and replace impacted ESG products, regardless of patch level.

Yesterday, the FBI echoed this warning, saying that it “continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit. Barracuda customers should remove all ESG appliances immediately.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

How does the attack work?

According to the FBI, China-based cybercriminals have exploited a significant number of ESG appliances and injected multiple malicious payloads, including Saltwater and Seaspy malware, that enabled persistent access, email scanning, credential harvesting, and data exfiltration. 

“In many cases, the criminals obfuscated their actions with counter-forensic techniques, making detection of compromise difficult through only scanning the appliance itself for indicators of compromise,” reads the FBI report. “As a result, it is imperative that networks scan various network logs for connections to any of the listed indicators.”

After the suspected government-backed Chinese cybercriminals compromised the device, they were observed dropping various malicious payloads into the vulnerable machines and aggressively targeting specific data for exfiltration. In some cases, the hackers used initial access to the ESG appliance as an entry point to the rest of the victim’s network or sent emails to other victim appliances. The cyber actors used additional tools to maintain long-term, persistent access to the ESG appliances, the FBI added.

This week, another zero-day vulnerability was uncovered by security company Group IB, in the popular compression tool WinRar. The vulnerability, tracked as CVE-2023-38831 has been exploited by varying cybercriminals since April 2023. After infecting devices, criminals will withdraw money from broker accounts. The total sum of financial losses is as yet unknown. The tool has over 500 million customers.

Read More: Hackers impersonate security analysts to advertise bogus zero day exploits laced with malware

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.