Trustwave Action Response: Zero Day Vulnerability in Barracuda Email Security Gateway Appliance (ESG) (CVE-2023-2868)
On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. In subsequent days, Barracuda deployed a series of patches.
The earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. Barracuda also noted that malware was placed on a subset of vulnerable appliances to allow for persistence even if the vulnerability were patched. Additionally, evidence of data exfiltration was identified on a subset of impacted appliances. Because of this, on June 6, Barracuda updated its advisory, notifying customers to immediately replace ESG appliances regardless of patch version level. This issue is critical for every organization currently using the Barracuda Email Security Gateway Appliance.
Trustwave recommends giving this issue a high security priority to be addressed as soon as possible.
Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.
For any organizations concerned about a breach, Trustwave’s Digital Forensics and Incident Response (DFIR) team is on call and ready to support. For Barracuda ESG customers, please reference Barracuda’s advisory for recommendations on impacted customers.
Endpoint IOCs
| File Name | MD5 Hash | Type | |
| 1 | appcheck.sh | N/A | Bash script |
| 2 | aacore.sh | N/A | Bash script |
| 3 | 1.sh | N/A | Bash script |
| 4 | mod_udp.so | 827d507aa3bde0ef903ca5dec60cdec8 | SALTWATER Variant |
| 5 | intent | N/A | N/A |
| 6 | install_helo.tar | 2ccb9759800154de817bf779a52d48f8 | TAR Package |
| 7 | intent_helo | f5ab04a920302931a8bd063f27b745cc | Bash script |
| 8 | pd | 177add288b289d43236d2dba33e65956 | Reverse Shell |
| 9 | update_v31.sh | 881b7846f8384c12c7481b23011d8e45 | Bash script |
| 10 | mod_require_helo.lua | cd2813f0260d63ad5adf0446253c2172 | SEASIDE |
| 11 | BarracudaMailService | 82eaf69de710abdc5dea7cd5cb56cf04 | SEASPY |
| 12 | BarracudaMailService | e80a85250263d58cc1a1dc39d6cf3942 | SEASPY |
| 13 | BarracudaMailService | 5d6cba7909980a7b424b133fbac634ac | SEASPY |
| 14 | BarracudaMailService | 1bbb32610599d70397adfdaf56109ff3 | SEASPY |
| 15 | BarracudaMailService | 4b511567cfa8dbaa32e11baf3268f074 | SEASPY |
| 16 | BarracudaMailService | a08a99e5224e1baf569fda816c991045 | SEASPY |
| 17 | BarracudaMailService | 19ebfe05040a8508467f9415c8378f32 | SEASPY |
| 18 | mod_udp.so | 1fea55b7c9d13d822a64b2370d015da7 | SALTWATER Variant |
| 19 | mod_udp.so | 64c690f175a2d2fe38d3d7c0d0ddbb6e | SALTWATER Variant |
| 20 | mod_udp.so | 4cd0f3219e98ac2e9021b06af70ed643 | SALTWATER Variant |
Network IOCs
| Indicator | ASN | Location | |
| 1 | xxl17z.dnslog.cn | N/A | N/A |
| 2 | mx01.bestfindthetruth.com | N/A | N/A |
| 3 | 64.176.7.59 | AS-CHOOPA | US |
| 4 | 64.176.4.234 | AS-CHOOPA | US |
| 5 | 52.23.241.105 | AMAZON-AES | US |
| 6 | 23.224.42.5 | CloudRadium L.L.C | US |
| 7 | 192.74.254.229 | PEG TECH INC | US |
| 8 | 192.74.226.142 | PEG TECH INC | US |
| 9 | 155.94.160.72 | QuadraNet Enterprises LLC | US |
| 10 | 139.84.227.9 | AS-CHOOPA | US |
| 11 | 137.175.60.253 | PEG TECH INC | US |
| 12 | 137.175.53.170 | PEG TECH INC | US |
| 13 | 137.175.51.147 | PEG TECH INC | US |
| 14 | 137.175.30.36 | PEG TECH INC | US |
| 15 | 137.175.28.251 | PEG TECH INC | US |
| 16 | 137.175.19.25 | PEG TECH INC | US |
| 17 | 107.148.219.227 | PEG TECH INC | US |
| 18 | 107.148.219.55 | PEG TECH INC | US |
| 19 | 107.148.219.54 | PEG TECH INC | US |
| 20 | 107.148.219.53 | PEG TECH INC | US |
| 21 | 107.148.219.227 | PEG TECH INC | US |
| 22 | 107.148.149.156 | PEG TECH INC | US |
| 23 | 104.223.20.222 | QuadraNet Enterprises LLC | US |
| 24 | 103.93.78.142 | EDGENAP LTD | JP |
| 25 | 103.27.108.62 | TOPWAY GLOBAL LIMITED | HK |
| 26 | 137.175.30.86 | PEGTECHINC | US |
| 27 | 199.247.23.80 | AS-CHOOPA | DE |
| 28 | 38.54.1.82 | KAOPU CLOUD HK LIMITED | SG |
| 29 | 107.148.223.196 | PEGTECHINC | US |
| 30 | 23.224.42.29 | CNSERVERS | US |
| 31 | 137.175.53.17 | PEGTECHINC | US |
| 32 | 103.146.179.101 | GIGABITBANK GLOBAL | HK |
YARA Rules
CVE-2023-2868
The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868:
rule M_Hunting_Exploit_Archive_2
{
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}
SALTWATER
The following three (3) YARA rules can be used to hunt for SALTWATER:
rule M_Hunting_Linux_Funchook
{
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SALTWATER_1
{
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))
}
The following SNORT rule can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9; content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)
The following SNORT rules require Suricata 5.0.4 or newer and can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S; tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S; tcp.hdr; content:"|e6 30|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S; tcp.hdr; content:"|e6 32|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.