Barracuda announced the vulnerability which allowed for the compromise of the appliance version of their email security gateway in May of 2023 along with patches to prevent infection on the 20th and 21st of May. The vulnerability (Tracked as CVE-2023-2868) is a code injection flaw that exists in a module used to screen attachments. The module had an incomplete input validation on the scanner. This allowed an attacker to send a properly named tar file to the device which in turn would be executed by Perl on the system with elevated privileges. The attack pattern was identified on May 18th, but attackers have been aware of the flaw since at least October of 2022.
With this code injection vulnerability, a number of Email Security Gateways were infected with Malware allowing for different levels of control over the appliance including data exfiltration of systems settings and email that passed through the gateway. The level of access that the attackers have is as concerning as is the fact that the malware is so embedded that you need to replace the appliance (physical or virtual) to get rid of it.
Barracuda’s official site lists an extended set of IOCs and YARA rules to allow for detection of a compromised appliance. If you are using one of these, we highly recommend making sure you are not compromised using the IOC available. If your appliance is clean, get it patched as quickly as possible, so you are not left in a vulnerable state and waiting on a new appliance. If you are compromised, Barracuda advises that you stop using the compromised appliance immediately. You should also change credentials for any LDAP/AD connections, FTP server connections, SMB accounts, Barracuda Cloud Control accounts and any Certificates in use on the appliance.