Advanced persistent threat (APT) attacks targeting a former zero-day remote command injection vulnerability in Barracuda email security gateway (ESG) appliances have been detected by the US cybersecurity and infrastructure security agency (CISA).
The vulnerability, according to a CISA alert, was used to plant malware payloads of Seapsy and Whirlpool backdoors on the compromised devices.
While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.
“CISA obtained four malware samples — including Seapsy and Whirlpool backdoors,” the CISA alert said. “The device was compromised by threat actors exploiting the Barracuda ESG vulnerability.”
Tracked as CVE-2023-2868, the vulnerability allows remote command execution on ESG appliances running versions 5.1.3.001 to 9.2.0.006.
A long list of Barracuda offenders
While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.
