So far everything seems normal as far as zero-day critical vulnerabilities go. Even with the announcement that Barracuda had seen evidence that the flaw had been exploited in the wild, again nothing new we are still inside the definition of a zero-day. However, we now know that threat actors have been abusing this flaw in the wild since October of 2022. That means Barracuda ESG appliances have been exposed for seven months to attackers. Given that the flaw allows for remote code execution on the targeted device this is significant. Now let’s add something into the mix; there are three known strains of malware that have been identified targeting these products.
There is a trojanized SMTP module that can upload/download files, execute commands and act as a proxy for malicious traffic that has been dubbed Saltwater, an x64 based ELF backdoor with persistence mechanisms named SEAAPY and a Lua based module SMTP module that is basically a reverse shell which utilizes built in HELO/EHLO commands for communication with the C2 server. This is just since discovery. The severity of the flaw prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a directive to have this patched by June 16th for all federal agencies. They also added it to the Known Exploited Vulnerabilities Catalog (KEV). Barracuda is not announcing how many organizations are impacted (which is the right thing to do). They are contacting each one individually and are providing mitigation/remediation guidance to those affected. As the investigation is not done yet, Barracuda has warned that other malware/toolsets might be uncovered before Mandiant is finished.
Now there are always going to be flaws and attack vectors that go undetected due to a multitude of reasons and in this instance, it appears that Barracuda is doing the right things in response. However, the events here do show how important it is to identify and remediate flaws and vulnerabilities that are discovered. Having a proper exposure management program tied to properly prioritized and expedited remediation schedules is vital. Allowing exposure to exist in an environment because now is not an idea time to patch is foolish. Attackers are more than capable of identifying these flaws and finding ways into an environment with them present. Operations are still important but c when you consider the impact to an organization if/when there is an incident, quickly identifying and removing attack vectors should take a front seat here. The days of cyclical chasing of the “criticals and highs” while patching once a month are a thing of the past as attackers prove themselves to be so much more agile than modern businesses. It is pretty much, identify and patch or just assume you are going to get owned. This also highlights the absurdity of reducing security and IT operational spending as a “cost saving”. If you do not have the money/staff to properly detect and remediate vulnerabilities and exposures, you are not going to stay in business long.