Update
On 25 December 2023, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) became aware of reporting of active exploitation of a third party library, Spreadsheet::ParseExcel, leading to potential Arbitrary Code Execution in Barracuda ESG appliances (CVE-2023-7101 and CVE-2023-7102).
Barracuda reports that it has deployed a security update to all active ESG appliances on 21 December 2023, that was applied automatically. A further patch has been deployed by Barracuda to customers ESG appliances that exhibited indicators of compromise (IOCs).
ASD’s ACSC recommend affected customers review Barracuda’s Security Advisory, ensure affected systems are patched, investigate and monitor for indications of network compromise.
Updated IOCs are available at: Barracuda Email Security Gateway Appliance (ESG) Vulnerability
Background / What has happened?
On 24 May 2023, Barracuda disclosed a remote command injection vulnerability in certain versions of their Email Security Gateway (ESG) appliances (CVE-2023-2868). A patch was made available at the time.
In June 2023, the ASD’s ACSC became aware of malicious activity targeting Barracuda devices, including the confirmed compromise of at least one Australian entity. Further investigations subsequently determined the vulnerability may have been exploited as a zero-day as early as October 2022.
On 29 August 2023, Mandiant, in cooperation with Barracuda and the United States’ (US) Cybersecurity & Infrastructure Agency (CISA), released a blog post detailing the malicious campaign, accompanied by new indicators of compromise (IOCs).
Mitigation / How do I stay secure?
The ASD’s ACSC and Barracuda have notified and provided assistance to organisations known to be impacted by the malicious campaign. Continued analysis has not identified any additional victims, however all organisations are encouraged to remain vigilant for any suspicious or malicious activity.
These new IOCs are provided to assist Australian organisations with strengthening the security of their networks.
For details on the campaign and associated IOCs, please refer to the following reports:
- Barracuda Email Security Gateway Appliance (ESG) Vulnerability (Barracuda)
- Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) (Mandiant)
- CISA Releases IOCs Associated with Malicious Barracuda Activity (CISA)
Assistance / Where can I go for help?
The ASD’s ACSC is able to provide assistance and advice as required. Organisations that have been impacted or require further advice or assistance can contact us via 1300 CYBER1 (1300 292 371), or lodge a cyber security incident report at https://cyber.gov.au/report.