FBI announces that the barracuda ESG zero-day patch of CVE record: CVE-2023-2868, were ineffective in addressing the security flaws.
The FBI (Federal Bureau of Investigation), says that the patches that was released for the security flaws on Barracuda Email Security Gateway (ESG) vulnerability did not solve the vulnerability and advises organizations to remove all Email Security Gateway appliances immediately.
The security flaws are said to impact barracuda ESG versions 5.13.001 to 9.2.0.006, since October 2022, and has continuously been a target for attacks. The company (Barracuda) went ahead to release security patches for the bug in Late May 2023.
Mandiant threat intelligence reported in June, that the attacks targeting CVE-2023-2868 were a Chinese state sponsored cyberespionage, tracked as UNC4841. Analysis and reports detailing the payloads and malware categories used in the attack was published by CISA.
FBI in a recent TLP:Flash, has gone ahead to warn that the security flaws is still being targeted in the wild, and even the security patch that was released by Barracuda, still susceptible to the flaws of the CVE record: CVE-2023-2868.
In a summary statement, FBI stated:
“As part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.”
In the indicators FBI listed the domains that are associated with the attacks and their various IP addresses which the attack originates from. FBI has also instructed that in the case of the attack, victims should report and provide the indicator of compromise which was listed in the pdf documents issued by the FBI.
The recommendation and Mitigation proffered by the FBI include that “customers who uses the enterprise privilege credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behaviour of any credentials used on their devices.”
Other recommendations include reviewing of email logs to identify initial point of exposure, revoking and rotating all domain-based credentials, revoking and reissuing all certificates, monitor the entire network, review logs for sign of data exfiltration, and capturing of forensic images of the appliances to conduct analysis.
Please do let us know in the comment section what are your thoughts about this.