The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.

The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.

The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.

According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.

In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.

The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.

Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.

Jennifer Marsh

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.