In June 2023, the ASD’s ACSC became aware of the active exploitation of a vulnerability affecting Barracuda ESG appliances (CVE-2023-2868). New indicators of compromise (IOCs) related to this activity have now been released, to assist organisations to strengthen network defences.
Background / What has happened?
On 24 May 2023, Barracuda disclosed a remote command injection vulnerability in certain versions of their Email Security Gateway (ESG) appliances (CVE-2023-2868). A patch was made available at the time.
In June 2023, the ASD’s ACSC became aware of malicious activity targeting Barracuda devices, including the confirmed compromise of at least one Australian entity. Further investigations subsequently determined the vulnerability may have been exploited as a zero-day as early as October 2022.
On 29 August 2023, Mandiant, in cooperation with Barracuda and the United States’ (US) Cybersecurity & Infrastructure Agency (CISA), released a blog post detailing the malicious campaign, accompanied by new indicators of compromise (IOCs).
Mitigation / How do I stay secure?
The ASD’s ACSC and Barracuda have notified and provided assistance to organisations known to be impacted by the malicious campaign. Continued analysis has not identified any additional victims, however all organisations are encouraged to remain vigilant for any suspicious or malicious activity.
These new IOCs are provided to assist Australian organisations with strengthening the security of their networks.
For details on the campaign and associated IOCs, please refer to the following reports:
- Barracuda Email Security Gateway Appliance (ESG) Vulnerability (Barracuda)
- Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) (Mandiant)
- CISA Releases IOCs Associated with Malicious Barracuda Activity (CISA)
Assistance / Where can I go for help?
The ASD’s ACSC is able to provide assistance and advice as required. Organisations that have been impacted or require further advice or assistance can contact us via 1300 CYBER1 (1300 292 371), or lodge a cyber security incident report at https://cyber.gov.au/report.