back to article FBI: Who was going around hijacking Barracuda email boxes? China, probably

The FBI has warned owners of Barracuda Email Security Gateway (ESG) appliances the devices are likely undergoing attack by snoops linked to China, and removing the machines from service remains the safest course of action. The attackers are exploiting CVE-2023-2868, a critical remote command injection vulnerability that was …

  1. Anonymous Coward
    Terminator

    With the FBI and Mandiant on the job, I feel safer already /s

    CVE-2023-286: “There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE.

    UNC4841: “sent emails to victim organizations that contained malicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG appliances

  2. sitta_europea Silver badge

    So this is essentially a worm?

  3. Anonymous Anti-ANC South African Coward Silver badge

    We had a 'cuda firewall prior, but it has been decommed for the past 2 years.

    Will it helps if you stick a non 'cuda firewall in front of the 'cuda appliance?

    1. sitta_europea Silver badge

      Probably not, because the compromise happens when the appliance processes the malicious mail message.

      Most firewalls don't look at the content of the traffic which they police. Typically a firewall blocks connections based on whether or not the connection is 'to be expected'.

      Aside from connections from known bad sources, most connections to a mail appliance to offer a mail message to it will come under the 'to be expected' heading. These messages can come from absolutely *anywhere*, so blocking things like source IPs, ASNs, country codes, domains etc., won't do the job.

      If the firewall permits the mail message to reach the appliance, it's game over.

      If the firewall does deep packet inspection and prevents the message from being processed then yes, that will help, until the adversary gets wise to it and crafts a message which the firewall accepts.

      It's easy enough to block these messages at the mail server, assuming that (1) such a facility exists (2) the admin knows what he's looking for so he can write for example a Yara rule and (3 of course) the server it isn't vulnerable.

      I've had nothing but trouble from fancy gateways.

      Keep It Simple. The more complicated things are, the more likely they are to have vulnerabilities.

  4. Rainer
    Holmes

    likely true

    I looked into this when our appliances were....visited (I am not responsible for them - I would have shut them off a long time ago, and a couple of weeks earlier, Barracuda had suffered some sort of breach for their hosted-service, which it kind-of swept under the rug....

    Anyway - I took two of the IPs from the IOC-list and did some digging. At least one pointed to an ISP in Hongkong, boasting great connectivity to China - and prominently accepted various forms of crypto-payment.

    I did a reverse-dns search and saw that the IP hosted a lot of domains that looked like they had been acquired from some sort of Chinese domain marketplace.

    I mean, the line between "professional hackers for profit" and APT-style, government-sponsored groups is likely very thin anyway, but this one somehow had this "uncanny valley" feeling you get when something is top easy, too simple.

    1. Anonymous Coward
      Alien

      An ISP in Hongkong with great connectivity to China

      Rainer: “I took two of the IPs from the IOC-list and did some digging. At least one pointed to an ISP in Hongkong, boasting great connectivity to China

      Yea, whenever I do any hackin, I always do it from IP addresses pointing back to me.

  5. Potemkine! Silver badge

    In June, the supplier recommended replacing the appliances, even if they had been patched.

    Will the supplier pays for the replacements, as it is the main culprit?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like