Cyber Incident Victim: Barracuda
Date:
Oct 2022
Location:
United States of America
Summary
A zero-day vulnerability in Barracuda's Email Security Gateway appliances was exploited to deploy custom malware, enabling persistent backdoor access, command execution, data exfiltration, and network traffic monitoring. Attackers utilized trojanized modules including Saltwater for command control and file transfers, SeaSpy for persistence via magic packets, and SeaSide to establish reverse shells through manipulated SMTP commands. The company identified suspicious traffic, patched all affected systems, blocked attacker access, and notified impacted customers to replace compromised appliances and rotate credentials. Evidence confirmed data theft from breached devices, with security advisories urging scrutiny of network logs for malicious indicators. The incident impacted a subset of appliances used by numerous organizations globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Barracuda Email Security Gateway (ESG) appliance zero-day exploitation began in October 2022, when threat actors first leveraged CVE-2023-2868 to compromise a subset of ESG devices. Attackers deployed custom malware to establish persistent access, including Saltwater—a trojanized version of Barracuda’s SMTP daemon (bsmtpd) enabling command execution, file transfers, and traffic tunneling. Additional malware strains SeaSpy and SeaSide provided further persistence mechanisms: SeaSpy monitored SMTP port traffic and used "magic packet" activation, while SeaSide established reverse shells via SMTP HELO/EHLO commands directed by attacker-controlled servers. Evidence confirmed data exfiltration from compromised appliances. The campaign remained undetected until May 18, 2023, when Barracuda identified anomalous traffic patterns, prompting engagement with Mandiant for forensic analysis.
Barracuda patched all ESG appliances by May 20, 2023, after confirming the vulnerability’s existence on May 19. On May 21, a dedicated script blocked attacker access to breached devices. The company notified impacted customers through ESG user interfaces on May 24, urging them to investigate lateral movement risks. CISA added CVE-2023-2868 to its known exploited vulnerabilities catalog shortly thereafter, signaling federal agency scrutiny. Affected organizations were advised to replace compromised appliances, rotate linked credentials, and audit network logs for attacker IPs and IOCs. Barracuda’s containment strategy included additional security patches across its appliance fleet, emphasizing risks to over 200,000 global clients, including major corporations like Samsung and Delta Airlines. The incident highlighted prolonged attacker access spanning seven months before detection.