A patch for the vulnerability, which has been exploited since October 2022, had been issued by Barracuda last month to stop the exploit from allowing ESG backdooring. Credit: Barracuda Enterprise security company Barracuda has warned its customers against using email security gateway (ESG) appliances impacted by a recently disclosed zero-day exploit and to replace them immediately.A patch for the vulnerability, which has been exploited since October 2022, had been issued by Barracuda last month to stop the exploit from allowing ESG backdooring.“The vulnerability existed in a module which initially screens the attachments of incoming emails,” the company had said previously. “No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.”Users whose appliances Barracuda believed were impacted are being notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers. Replacement advised despite patchesThe vulnerability, dubbed CVE-2023-2868, was identified on May 19, 2023, and reportedly affected versions 5.1.3.001 through 9.2.0.006, allowing a remote attacker to achieve code execution on susceptible installations.Consequently, Barracuda released patches on May 20 and May 21 for all ESG appliances worldwide. In the latest update on the incident, however, the company has advised to replace the appliance irrespective of their patch status. “Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company said in an update, adding that its “remediation recommendation at this time is a full replacement of the impacted ESG.”Multistrained malware usedThree different malware strains have been discovered to date on a subset of appliances allowing for persistent backdoor access, according to the company. Evidence of data exfiltration was identified on a subset of impacted appliances, the company said in a previous update.The different strains used — Saltwater, Seaspy, and Seaside — were all backdoor modules affecting data exfiltration. While both Saltwater and Seaside help establish a hack for the Barracuda SMTP daemon (bsmtpd) equipped to upload and download arbitrary files, execute commands, and tunnel malicious traffic, Seasspy is an x64 executable and linkable format (ELF) backdoor offering persistence capabilities, activated through a magic (remote, wake-on-LAN) packet.Mandiant, the Google-owned cybersecurity intelligence firm investigating the incident, has revealed source code overlaps between SEASPY and an open source backdoor called cd00r. Attacks have not been attributed to any known threat actor or group. Related content opinion Cybersecurity professional job-satisfaction realities for National Cybersecurity Awareness Month Half of all cybersecurity pros are considering a job change, and 30% might leave the profession entirely. CISOs and other C-level execs should reflect on this for National Cybersecurity Awareness Month. By Jon Oltsik Oct 03, 2023 4 mins CSO and CISO CSO and CISO C-Suite feature The value of threat intelligence — and challenges CISOs face in using it effectively Knowing the who, what, when, and how of bad actors and their methods is a boon to security, but experts say many teams are not always using such intel to their best advantage. By Mary K. Pratt Oct 03, 2023 10 mins CSO and CISO CSO and CISO CSO and CISO news CIISec secures government funding to expand CyberEPQ program The funding will support places for 400 students with a focus on attracting a diverse pool of UK cybersecurity talent. By Michael Hill Oct 03, 2023 3 mins IT Training Careers Security news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO Technology Industry IT Training Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe