{
	"id": "d2e208e5-f707-4605-a21a-73fd2502b4d5",
	"created_at": "2026-04-06T00:06:25.577546Z",
	"updated_at": "2026-04-10T13:12:44.973851Z",
	"deleted_at": null,
	"sha1_hash": "71e113de64379fed0140155c9d94b81885ad3993",
	"title": "Barracuda Email Security Gateway Appliance (ESG) Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135688,
	"plain_text": "Barracuda Email Security Gateway Appliance (ESG) Vulnerability\r\nBy Barracuda Networks\r\nPublished: 2025-03-11 · Archived: 2026-04-05 12:51:40 UTC\r\nJANUARY 4th, 2024:\r\nOn 12/29/2023, version 0.66 of  Spreadsheet::ParseExcel was published. This release fixes CVE-2023-7101.\r\nhttps://metacpan.org/dist/Spreadsheet-ParseExcel/changes\r\nFor organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-\r\n7101 and upgrading to the latest version of Spreadsheet::ParseExcel.\r\nDECEMBER 24th, 2023:\r\nIn our ongoing investigation, Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE)\r\nvulnerability within a third party library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email attachment to\r\ntarget a limited number of ESG devices. Spreadsheet::ParseExcel is an open source library used by the Amavis virus scanner\r\nwithin the ESG appliance. Barracuda, working in collaboration with Mandiant, assesses this activity is attributable to\r\ncontinued operations of the China nexus actor tracked as UNC4841.\r\nOn December 21, 2023, Barracuda deployed a security update to all active ESGs to address the ACE vulnerability in\r\nSpreadsheet::ParseExcel. The security update has been automatically applied, requiring no action by the customer.\r\nFollowing UNC4841’s exploitation of the ACE vulnerability (CVE-2023-7102), Barracuda has observed new variants of\r\nSEASPY and SALTWATER malware deployed to a limited number of ESG devices. On December 22, 2023, Barracuda\r\ndeployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly\r\nidentified malware variants.\r\nNo action is required by customers at this time, and our investigation is ongoing.\r\nBarracuda has filed CVE-2023-7102 in relation to Barracuda’s use of Spreadsheet::ParseExcel which has been patched. In\r\naddition, in order to increase public awareness of the ACE vulnerability in Spreadsheet::ParseExcel, Barracuda has\r\nfiled CVE-2023-7101. At the time of this update, there is no known patch or update available to remediate CVE-2023-7101\r\nwithin the open source library. For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we\r\nrecommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures.\r\nTo assist organizations with hunting activity related to this UNC4841 activity. Indicators of Compromise have been added to\r\nthe IOC tables below.\r\nCurrent Indicators of Compromise (IOCs)\r\nHost IOCs\r\nMalware MD5 Hash SHA256 File Name(s) File T\r\nCVE-2023-\r\n7102 XLS\r\nDocument\r\n2b172fe3329260611a9022e71acdebca\r\n803cb5a7de1fe0067a9eeb220dfc24ca\r\n56f3f571a986180e146b6cf387855bdd\r\nads2.xls xls\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 1 of 31\n\nCVE-2023-\r\n7102 XLS\r\nDocument\r\ne7842edc7868c8c5cf0480dd98bcfe76\r\n952c5f45d203d8f1a7532e5b59af8e330\r\n6b5c1c53a30624b6733e0176d8d1acd\r\ndon.xls xls\r\nCVE-2023-\r\n7102 XLS\r\nDocument\r\ne7842edc7868c8c5cf0480dd98bcfe76\r\n952c5f45d203d8f1a7532e5b59af8e330\r\n6b5c1c53a30624b6733e0176d8d1acd\r\npersonalbudget.xls xls\r\nSEASPY 7b83e4bd880bb9d7904e8f553c2736e3\r\n118fad9e1f03b8b1abe00529c61dc3edf\r\nda043b787c9084180d83535b4d177b7\r\nwifi-service\r\nx-execut\r\nSALTWATER d493aab1319f10c633f6d223da232a27\r\n34494ecb02a1cccadda1c7693c45666e1\r\nfe3928cc83576f8f07380801b07d8ba\r\nmod_tll.so\r\nx-shared\r\nNetwork IOCs\r\nIP Address ASN Location\r\n23.224.99.242 40065 US\r\n23.224.99.243 40065 US\r\n23.224.99.244 40065 US\r\n23.224.99.245 40065 US\r\n23.224.99.246 40065 US\r\n23.225.35.234 40065 US\r\n23.225.35.235 40065 US\r\n23.225.35.236 40065 US\r\n23.225.35.237 40065 US\r\n23.225.35.238 40065 US\r\n107.148.41.146 398823 US\r\nAUGUST 29th, 2023:\r\nToday, Mandiant published an updated blog post (https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation) which further analyzed the actions of the Chinese-nexus threat group tracked as UNC4841. As noted in the\r\nblog, Mandiant and Barracuda have not identified any newly compromised ESG appliances post release of a security patch\r\non May 20, 2023.which remediated the zero day ESG vulnerability (CVE-2023-2868). Mandiant assesses a limited number\r\nof previously impacted victims that have not followed Barracuda’s guidance to replace their impacted appliances may still\r\nface risk associated with this.\r\nBarracuda continues to recommend that impacted customers replace their compromised appliance. Only a limited number of\r\nESG appliances worldwide were compromised and impacted customers have been notified to replace the appliances.\r\nBarracuda is providing the replacement product to impacted customers at no cost. No other Barracuda product, including\r\nBarracuda’s SaaS email solutions, were impacted by this vulnerability.\r\nJULY 28th, 2023:\r\nWhile our investigation is still ongoing, Barracuda in conjunction with Mandiant, analyzed the additional malware code\r\nnamed SUBMARINE by CISA in its report issued on July 28, 2023  (https://www.cisa.gov/news-https://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 2 of 31\n\nevents/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors). This additional malware was utilized\r\nby the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG\r\nappliances. This malware appeared on a very small number of already compromised ESG appliances. Barracuda’s\r\nrecommendation is unchanged.  Customers should discontinue use of the compromised ESG appliance and contact\r\nBarracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.\r\nJUNE 15th, 2023:\r\nBarracuda ESG Appliance Vulnerability Status Update\r\nWhile our investigation is still ongoing, Barracuda now has a more comprehensive understanding of the incident, including\r\nthat exploitation occurred on a subset of compromised Barracuda Email Security Gateway (ESG) appliances by an\r\naggressive and highly skilled actor conducting targeted activity which, as reported by Mandiant, has suspected links to\r\nChina. Consistent with our previous updates, we are sharing additional technical details to support our customers and\r\npartners. We are also publishing additional indicators of compromise that organizations can leverage for their network\r\ndefenses.\r\nFor more technical details on the Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868), please read Mandiant’s blog\r\nat https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally. Along with this blog post, Mandiant has\r\nproduced detailed Hardening Recommendations to assist organizations with this event.\r\nAttribution\r\nMandiant assessed with high confidence that the threat actor, identified as UNC4841, who exploited the ESG zero-day\r\nvulnerability conducted targeted information gathering activity from a subset of organizations in support of the People’s\r\nRepublic of China.  \r\nOur priority throughout this incident has been transparency around what we know as well as the actions we’ve taken. As\r\ndiscussed in our guidance released on May 31, 2023, and reiterated on June 6, 2023, we recommend immediate replacement\r\nof compromised ESG appliances, regardless of patch level.\r\nJUNE 15th, 2023:\r\nCurrent Indicators of Compromise (IOCs)\r\nNetwork IOCs\r\nIP Address ASN Netblock Location\r\n101.229.146.218 4812 China Telecom CN\r\n103.146.179.101 136933 Gigabitbank Global HK\r\n103.27.108.62 132883 Topway Global Limited HK\r\n103.77.192.13 10222 Multibyte Info Technology Limited HK\r\n103.77.192.88 10222 Multibyte Info Technology Limited HK\r\n103.93.78.142 61414 Edgenap Ltd JP\r\n104.156.229.226 20473 Choopa, LLC US\r\n104.223.20.222 8100 CloudVPS US\r\n107.148.149.156 399195 Pegtechinc-ap-04 US\r\n107.148.219.227 54600 Peg Tech US\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 3 of 31\n\n107.148.219.53 54600 Peg Tech US\r\n107.148.219.54 54600 Peg Tech US\r\n107.148.219.55 54600 Peg Tech US\r\n107.148.223.196 54600 Peg Tech US\r\n107.173.62.158 20278 Nexeon Technologies US\r\n137.175.19.25 54600 Peg Tech US\r\n137.175.28.251 54600 Peg Tech US\r\n137.175.30.36 54600 Peg Tech US\r\n137.175.30.86 54600 Peg Tech US\r\n137.175.51.147 54600 Peg Tech US\r\n137.175.53.17 54600 Peg Tech US\r\n137.175.53.170 54600 Peg Tech US\r\n137.175.53.218 54600 Peg Tech US\r\n137.175.60.252 54600 Peg Tech US\r\n137.175.60.253 54600 Peg Tech US\r\n137.175.78.66 54600 Peg Tech US\r\n139.84.227.9 20473 Choopa, LLC ZA\r\n155.94.160.72 8100 CloudVPS US\r\n182.239.114.135 9231 China Mobile Hong Kong HK\r\n182.239.114.254 9231 China Mobile Hong Kong HK\r\n192.74.226.142 54600 Peg Tech CN\r\n192.74.254.229 54600 Peg Tech US\r\n198.2.254.219 54600 Peg Tech US\r\n198.2.254.220 54600 Peg Tech US\r\n198.2.254.221 54600 Peg Tech US\r\n198.2.254.222 54600 Peg Tech US\r\n198.2.254.223 54600 Peg Tech US\r\n199.247.23.80 20473 Choopa, LLC DE\r\n213.156.153.34 202422 G-Core Labs S.A. US\r\n216.238.112.82 20473 Choopa, LLC BR\r\n23.224.42.29 40065 Cnservers LLC US\r\n23.224.78.130 40065 Cnservers LLC US\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 4 of 31\n\n23.224.78.131 40065 Cnservers LLC US\r\n23.224.78.132 40065 Cnservers LLC US\r\n23.224.78.133 40065 Cnservers LLC US\r\n23.224.78.134 40065 Cnservers LLC US\r\n37.9.35.217 202422 G-Core Labs S.A. US\r\n38.54.113.205 138915 Kaopu Cloud HK Limited MY\r\n38.54.1.82 138915 Kaopu Cloud HK Limited SG\r\n38.60.254.165 174 Cogent Communications US\r\n45.63.76.67 20473 Choopa, LLC US\r\n52.23.241.105 14618 Amazon.com US\r\n64.176.4.234 20473 Choopa, LLC US\r\n64.176.7.59 20473 Choopa, LLC US\r\n23.224.99.246 33330,133131   US\r\n23.225.35.236 33330,133131   US\r\nDomain\r\nbestfindthetruth.com\r\nfessionalwork.com\r\ngesturefavour.com\r\ngoldenunder.com\r\nsingamofing.com\r\nsingnode.com\r\ntogetheroffway.com\r\ntroublendsef.com\r\nEndpoint IOCs\r\nFilename Hash Type\r\n0d67f50a0bf7a3a017784146ac41ada0 snapshot.tar Payload Attachment\r\n42722b7d04f58dcb8bd80fe41c7ea09e 11111.tar Payload Attachment\r\n5392fb400bd671d4b185fb35a9b23fd3 imgdata.jpg Payload Attachment\r\nac4fb6d0bfc871be6f68bfa647fc0125 snapshot.tar Payload Attachment\r\n878cf1de91f3ae543fd290c31adcbda4 snapshot.tar Payload Attachment\r\nb601fce4181b275954e3f35b18996c92 install_reuse.tar SALTWATER install\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 5 of 31\n\n827d507aa3bde0ef903ca5dec60cdec8 mod_udp.so SALTWATER variant\r\nc56d7b86e59c5c737ee7537d7cf13df1 autoins SALTWATER install\r\n6f79ef58b354fd33824c96625590c244 intent_reuse SALTWATER install\r\n349ca242bc6d2652d84146f5f91c3dbb intentbas SALTWATER install\r\n1fea55b7c9d13d822a64b2370d015da7 mod_udp.so SALTWATER variant\r\n64c690f175a2d2fe38d3d7c0d0ddbb6e mod_udp.so SALTWATER variant\r\n4cd0f3219e98ac2e9021b06af70ed643 mod_udp.so SALTWATER variant\r\n3b93b524db66f8bb3df8279a141734bb mod_rtf.so SALTWATER variant\r\n8fdf3b7dc6d88594b8b5173c1aa2bc82 mod_rft.so SALTWATER Variant\r\n4ec4ceda84c580054f191caa09916c68 mod_rft.so SALTWATER variant\r\n1b1830abaf95bd5a44aa3873df901f28 mod_rft.so SALTWATER variant\r\n4ca4f582418b2cc0626700511a6315c0 BarracudaMailService SEASPY Variant\r\nc528b6398c86f8bdcfa3f9de7837ebfe update_v2.sh SEASPY Install\r\n2d841cb153bebcfdee5c54472b017af2 rc SEASPY launcher\r\nc979e8651c1f40d685be2f66e8c2c610 rc SEASPY launcher\r\n1c042d39ca093b0e7f1412453b132076 rc SEASPY launcher\r\nba7af4f98d85e5847c08cf6cefdf35dc rc SEASPY launcher\r\n82eaf69de710abdc5dea7cd5cb56cf04 BarracudaMailService SEASPY Variant\r\ne80a85250263d58cc1a1dc39d6cf3942 BarracudaMailService SEASPY Variant\r\n5d6cba7909980a7b424b133fbac634ac BarracudaMailService SEASPY Variant\r\n1bbb32610599d70397adfdaf56109ff3 BarracudaMailService SEASPY Variant\r\n4b511567cfa8dbaa32e11baf3268f074 BarracudaMailService SEASPY Variant\r\na08a99e5224e1baf569fda816c991045 BarracudaMailService SEASPY Variant\r\n19ebfe05040a8508467f9415c8378f32 BarracudaMailService SEASPY Variant\r\n831d41ba2a0036540536c2f884d089f9 sendscd SEASPY Variant\r\ndb4c48921537d67635bb210a9cb5bb52 BarracudaMailService SEASPY Variant\r\n694cdb49879f1321abb4605adf634935 install_bvp74_auth.tar SEASPY install\r\n5fdee67c82f5480edfa54afc5a9dc834 install_bvp74_auth.tar SEASPY install\r\n8fc03800c1179a18fbd58d746596fa7d update_version SEASPY launcher\r\n17696a438387248a12cc911fbae8620e resize_risertab SEASPY launcher\r\n4c1c2db989e0e881232c7748593d291e update_version SEASPY launcher\r\n3e3f72f99062255d6320d5e686f0e212 update_version SEASPY launcher\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 6 of 31\n\n7d7fd05b262342a9e8237ce14ec41c3b update_version SEASPY launcher\r\n2e30520f8536a27dd59eabbcb8e3532a update_version SEASPY launcher\r\n0245e7f9105253ecb30de301842e28e4 update_version SEASPY launcher\r\n0c227990210e7e9d704c165abd76ebe2 update_version SEASPY launcher\r\nc7a89a215e74104682880def469d4758 update_version SEASPY launcher\r\n1bc5212a856f028747c062b66c3a722a update_version SEASPY launcher\r\na45ca19435c2976a29300128dc410fd4 update_version SEASPY launcher\r\n132a342273cd469a34938044e8f62482 update_version SEASPY launcher\r\n23f4f604f1a05c4abf2ac02f976b746b resize2fstab SEASPY Variant\r\n45b79949276c9cb9cf5dc72597dc1006 resize_reisertab SEASPY Variant\r\nbef722484288e24258dd33922b1a7148 resize2fstab SEASPY Variant\r\n0805b523120cc2da3f71e5606255d29c resize_reisertab SEASPY Variant\r\n69ef9a9e8d0506d957248e983d22b0d5 resize2fstab SEASPY Variant\r\n3c20617f089fe5cc9ba12c43c6c072f5 resize2fstab SEASPY Variant\r\n76811232ede58de2faf6aca8395f8427 resize2fstab SEASPY Variant\r\nf6857841a255b3b4e4eded7a66438696 resize_reisertab SEASPY Variant\r\n2ccb9759800154de817bf779a52d48f8 install_helo.tar SEASIDE Install\r\ncd2813f0260d63ad5adf0446253c2172 mod_require_helo.lua SEASIDE variant\r\n177add288b289d43236d2dba33e65956 rverify WHIRLPOOL VARIANT\r\n87847445f9524671022d70f2a812728f mod_content.lua SKIPJACK\r\n35cf6faf442d325961935f660e2ab5a0 mod_attachment.lua SEASPRAY\r\nce67bb99bc1e26f6cb1f968bc1b1ec21 install_att_v2.tar SEASPRAY install\r\ne4e86c273a2b67a605f5d4686783e0cc mknod SKIPJACK Persistence\r\nad1dc51a66201689d442499f70b78dea get_fs_info.pl SKIPJACK Persistence\r\n9033dc5bac76542b9b752064a56c6ee4 nfsd_stub.ko SANDBAR\r\ne52871d82de01b7e7f134c776703f696 rverify WHIRLPOOL Variant\r\n446f3d71591afa37bbd604e2e400ae8b mknod SEASPRAY Persistence\r\n666da297066a2596cacb13b3da9572bf mod_sender.lua SEASPRAY\r\n436587bad5e061a7e594f9971d89c468 saslautchd WHIRLPOOL Variant\r\n85c5b6c408e4bdb87da6764a75008adf rverify WHIRLPOOL Variant\r\n407738e565b4e9dafb07b782ebcf46b0 test1.sh Reverse shell cronjob\r\ncb0f7f216e8965f40a724bc15db7510b update_v35.sh Bash Script\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 7 of 31\n\nN/A - multiple version identified 1.sh Bash Script\r\n19e373b13297de1783cecf856dc48eb0 cl proxy client\r\nN/A aacore.sh reverse shell cronjob\r\nN/A appcheck.sh reverse shell cronjob\r\n881b7846f8384c12c7481b23011d8e45 update_v31.sh Bash Script\r\nf5ab04a920302931a8bd063f27b745cc intent_helo Bash Script\r\nN/A p Named pipe used in reverse shell\r\nN/A p7 Named pipe used in reverse shell\r\nN/A t Named pipe used in reverse shell\r\nN/A core.sh Reverse shell cronjob\r\nN/A p1 Named pipe used in reverse shell\r\n177add288b289d43236d2dba33e65956 pd WHIRLPOOL Variant\r\nN/A b Named pipe used in reverse shell\r\nd098fe9674b6b4cb540699c5eb452cb5 test.sh Reverse shell cronjob\r\nN/A ss Named pipe used in reverse shell\r\nDetection Rules\r\nYara\r\nrule M_Hunting_Exploit_Archive_2\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for TAR archives with /tmp/ base64 encoded being part of filename of enclosed\r\nfiles\"\r\n        md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n    strings:\r\n        $ustar = { 75 73 74 61 72 }\r\n        $b64_tmp = \"/tmp/\" base64\r\n    condition:\r\n        filesize \u003c 1MB and\r\n        $ustar at 257 and\r\n        for any i in (0 .. #ustar) : (\r\n            $b64_tmp in (i * 512 .. i * 512 + 250)\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 8 of 31\n\n)\r\n}\r\nrule M_Hunting_Exploit_Archive_3\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for TAR archive with openssl base64 encoded being part of filename of enclosed\r\nfiles\"\r\n        md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n    strings:\r\n        $ustar = { 75 73 74 61 72 }\r\n        $b64_openssl = \"openssl\" base64\r\n    condition:\r\n        filesize \u003c 1MB and\r\n        $ustar at 257 and\r\n        for any i in (0 .. #ustar) : (\r\n            $b64_openssl in (i * 512 .. i * 512 + 250)\r\n        )\r\n}\r\nrule M_Hunting_Exploit_Archive_CVE_2023_2868\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for TAR archive with single quote/backtick as start of filename of enclosed files.\r\nCVE-2023-2868\"\r\n        md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n    strings:\r\n        $ustar = { 75 73 74 61 72 }\r\n        $qb = \"'`\"\r\n    condition:\r\n        filesize \u003c 1MB and\r\n        $ustar at 257 and\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 9 of 31\n\nfor any i in (0 .. #ustar) : (\r\n            $qb at (@ustar[i] + 255)\r\n        )\r\n}\r\nrule M_Hunting_Linux_SALTWATER_1\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SALTWATER samples.\"\r\n        md5 = \"827d507aa3bde0ef903ca5dec60cdec8\"\r\n    strings:\r\n        $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }\r\n        $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }\r\n        $s3 = { 71 75 69 74 0D 0A 00 00 00 12 8D 03 07 9C 17 92 08 F0 0C 9A 01 06 08 00 1A 0C 0B 8D 18 0A 0D 0A }\r\n    condition:\r\n        uint32(0) == 0x464c457f and any of them\r\n}\r\nrule M_Hunting_Linux_SALTWATER_2\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SALTWATER samples.\"\r\n        md5 = \"827d507aa3bde0ef903ca5dec60cdec8\"\r\n    strings:\r\n        $c1 = \"TunnelArgs\"\r\n        $c2 = \"DownloadChannel\"\r\n        $c3 = \"UploadChannel\"\r\n        $c4 = \"ProxyChannel\"\r\n        $c5 = \"ShellChannel\"\r\n        $c6 = \"MyWriteAll\"\r\n        $c7 = \"MyReadAll\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 10 of 31\n\n$c8 = \"Connected2Vps\"\r\n        $c9 = \"CheckRemoteIp\"\r\n        $c10 = \"GetFileSize\"\r\n        $s1 = \"[-] error: popen failed\"\r\n        $s2 = \"/home/product/code/config/ssl_engine_cert.pem\"\r\n        $s3 = \"libbindshell.so\"\r\n    condition:\r\n        uint32(0) == 0x464c457f and (any of ($s*) or 4 of ($c*))\r\n}\r\nrule FE_Hunting_Linux_Funchook_FEBeta\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in Funchook library - https://github.com/kubo/funchook\"\r\n        md5 = \"827d507aa3bde0ef903ca5dec60cdec8\"\r\n    strings:\r\n        $f = \"funchook_\"\r\n        $s1 = \"Enter funchook_create()\"\r\n        $s2 = \"Leave funchook_create() =\u003e %p\"\r\n        $s3 = \"Enter funchook_prepare(%p, %p, %p)\"\r\n        $s4 = \"Leave funchook_prepare(..., [%p-\u003e%p],...) =\u003e %d\"\r\n        $s5 = \"Enter funchook_install(%p, 0x%x)\"\r\n        $s6 = \"Leave funchook_install() =\u003e %d\"\r\n        $s7 = \"Enter funchook_uninstall(%p, 0x%x)\"\r\n        $s8 = \"Leave funchook_uninstall() =\u003e %d\"\r\n        $s9 = \"Enter funchook_destroy(%p)\"\r\n        $s10 = \"Leave funchook_destroy() =\u003e %d\"\r\n        $s11 = \"Could not modify already-installed funchook handle.\"\r\n        $s12 = \"  change %s address from %p to %p\"\r\n        $s13 = \"  link_map addr=%p, name=%s\"\r\n        $s14 = \"  ELF type is neither ET_EXEC nor ET_DYN.\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 11 of 31\n\n$s15 = \"  not a valid ELF module %s.\"\r\n        $s16 = \"Failed to protect memory %p (size=%\"\r\n        $s17 = \"  protect memory %p (size=%\"\r\n        $s18 = \"Failed to unprotect memory %p (size=%\"\r\n        $s19 = \"  unprotect memory %p (size=%\"\r\n        $s20 = \"Failed to unprotect page %p (size=%\"\r\n        $s21 = \"  unprotect page %p (size=%\"\r\n        $s22 = \"Failed to protect page %p (size=%\"\r\n        $s23 = \"  protect page %p (size=%\"\r\n        $s24 = \"Failed to deallocate page %p (size=%\"\r\n        $s25 = \" deallocate page %p (size=%\"\r\n        $s26 = \"  allocate page %p (size=%\"\r\n        $s27 = \"  try to allocate %p but %p (size=%\"\r\n        $s28 = \"  allocate page %p (size=%\"\r\n        $s29 = \"Could not find a free region near %p\"\r\n        $s30 = \"  -- Use address %p or %p for function %p\"\r\n    condition:\r\n        uint32(0) == 0x464c457f and (#f \u003e 5 or 4 of ($s*))\r\n}\r\nrule M_Hunting_Linux_SEASPY_1\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SEASPY samples.\"\r\n        md5 = \"4ca4f582418b2cc0626700511a6315c0\"\r\n    strings:\r\n        $s1 = \"usage: ./BarracudaMailService \u003cNetwork-Interface\u003e. e.g.: ./BarracudaMailService eth0\"\r\n        $s2 = \"NO port code\"\r\n        $s3 = \"pcap_lookupnet: %s\"\r\n        $s4 = \"Child process id:%d\"\r\n        $s5 = \"[*]Success!\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 12 of 31\n\n$s6 = \"enter open tty shell...\"\r\n    condition:\r\n        uint32(0) == 0x464c457f and all of ($s*)\r\n}\r\n//\r\n// SEASIDE\r\n//\r\nrule M_Hunting_Lua_SEASIDE_1\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SEASIDE samples.\"\r\n        md5 = \"cd2813f0260d63ad5adf0446253c2172\"\r\n    strings:\r\n        $s1 = \"function on_helo()\"\r\n        $s2 = \"local bindex,eindex = string.find(helo,'.onion')\"\r\n        $s3 = \"helosend = 'pd'..' '..helosend\"\r\n        $s4 = \"os.execute(helosend)\"\r\n    condition:\r\n        (filesize \u003c 1MB) and all of ($s*)\r\n}\r\nrule M_Hunting_SKIPJACK_1\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SKIPJACK installation script.\"\r\n        md5 = \"e4e86c273a2b67a605f5d4686783e0cc\"\r\n    strings:\r\n        $str1 = \"hdr:name() == 'Content-ID'\" base64\r\n        $str2 = \"hdr:body() ~= nil\" base64\r\n        $str3 = \"string.match(hdr:body(),\\\"^[%w%+/=\\\\r\\\\n]+$\\\")\" base64\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 13 of 31\n\n$str4 = \"openssl aes-256-cbc\" base64\r\n        $str5 = \"mod_content.lua\"\r\n        $str6 = \"#!/bin/sh\"\r\n    condition:\r\n        all of them\r\n}\r\nrule M_Hunting_Lua_SKIPJACK_2\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SKIPJACK samples.\"\r\n        md5 = \"87847445f9524671022d70f2a812728f\"\r\n    strings:\r\n        $str1 = \"hdr:name() == 'Content-ID'\"\r\n        $str2 = \"hdr:body() ~= nil\"\r\n        $str3 = \"string.match(hdr:body(),\\\"^[%w%+/=\\\\r\\\\n]+$\\\")\"\r\n        $str4 = \"openssl aes-256-cbc\"\r\n        $str5 = \"| base64 -d| sh 2\u003e\"\r\n    condition:\r\n        all of them\r\n}\r\nrule M_Hunting_Lua_SEASPRAY_1\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in SEASPRAY samples.\"\r\n        md5 = \"35cf6faf442d325961935f660e2ab5a0\"\r\n    strings:\r\n        $str1 = \"string.find(attachment:filename(),'obt075') ~= nil\"\r\n        $str2 = \"os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())\"\r\n        $str3 = \"os.execute('rverify'..' /tmp/'..attachment:filename())\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 14 of 31\n\ncondition:\r\n        all of them\r\n}\r\nrule M_Hunting_Linux_WHIRLPOOL_1\r\n{\r\n    meta:\r\n        author = \"Mandiant\"\r\n        description = \"Hunting rule looking for strings observed in WHIRLPOOL samples.\"\r\n        md5 = \"177add288b289d43236d2dba33e65956\"\r\n    strings:\r\n        $s1 = \"error -1 exit\" fullword\r\n        $s2 = \"create socket error: %s(error: %d)\\n\" fullword\r\n        $s3 = \"connect error: %s(error: %d)\\n\" fullword\r\n        $s4 = {C7 00 20 32 3E 26 66 C7 40 04 31 00}\r\n        $c1 = \"plain_connect\" fullword\r\n        $c2 = \"ssl_connect\" fullword\r\n        $c3 = \"SSLShell.c\" fullword\r\n    condition:\r\n        filesize \u003c 15MB and uint32(0) == 0x464c457f and (all of ($s*) or all of ($c*))\r\n}\r\nSnort/Suricata\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_oXmp\"; flags:S; dsize:\u003e9; content:\"oXmp\";\r\noffset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_TfuZ\"; flags:S; dsize:\u003e9; content:\"TfuZ\"; offset:0;\r\ndepth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)\r\nSuricata \u003e= 5.0.4\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_1358\"; flags:S; tcp.hdr; content:\"|05 4e|\"; offset:22;\r\ndepth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_58928\"; flags:S; tcp.hdr; content:\"|e6 30|\";\r\noffset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600;\r\nsid:1000003; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_58930\"; flags:S; tcp.hdr; content:\"|e6 32|\";\r\noffset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; byte_test:2,\u003e,0,0,big,relative; threshold:type limit,track\r\nby_src,count 1,seconds 3600; sid:1000004; rev:1;)\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 15 of 31\n\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_60826\"; flags:S; tcp.hdr; content:\"|ed 9a|\";\r\noffset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600;\r\nsid:1000005; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_60828\"; flags:S; tcp.hdr; content:\"|ed 9c|\";\r\noffset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; byte_test:2,\u003e,0,0,big,relative; threshold:type limit,track\r\nby_src,count 1,seconds 3600; sid:1000006; rev:1;)\r\nJUNE 6th, 2023 (Updated on JUNE 15th, 2023): \r\nAction Notice: Compromised ESG appliances must be immediately replaced regardless of patch version level. Only a subset\r\nof ESG appliances have shown any known indicators of compromise, and are identified by a message in the appliance User\r\nInterface.\r\nIf you have not replaced your appliance after receiving notice of compromise in your UI, contact Barracuda support\r\n(support@barracuda.com).\r\nBarracuda’s ESG appliance remediation recommendation for compromised appliances continues to be replacement of the\r\ncompromised ESG.\r\nJUNE 1st, 2023:\r\nPreliminary Summary of Key Findings\r\nDocument History\r\nVersion/Date Notes\r\n1.0: May 30, 2023 Initial Document\r\n1.1 : June 1, 2023 Additional IOCs and rules included\r\nBarracuda Networks’ priorities throughout this incident have been transparency and to use this as an opportunity to\r\nstrengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is\r\nongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise\r\n(IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments.\r\nTimeline\r\nOn May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway\r\n(ESG) appliances.\r\nOn May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation.\r\nOn May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance\r\n(ESG).\r\nOn May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide.\r\nOn May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized\r\naccess methods.\r\nA series of security patches are being deployed to all appliances in furtherance of our containment strategy.\r\nKey Findings\r\nWhile the investigation is still on-going, Barracuda has concluded the following:\r\nThe vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda\r\nproducts, including our SaaS email security services, were subject to the vulnerability identified.\r\nEarliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 16 of 31\n\nBarracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.\r\nMalware was identified on a subset of appliances allowing for persistent backdoor access.\r\nEvidence of data exfiltration was identified on a subset of impacted appliances..\r\nUsers whose appliances we believe were impacted have been notified via the ESG user interface of actions to take.\r\nBarracuda has also reached out to these specific customers. Additional customers may be identified in the course of the\r\ninvestigation.\r\nCVE-2023-2868\r\nOn May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in\r\nthe Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability\r\nstemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within\r\nthe archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely\r\nexecuting a system command through Perl's qx operator with the privileges of the Email Security Gateway product.\r\nBarracuda's investigation to date has determined that a third party utilized the technique described above to gain\r\nunauthorized access to a subset of ESG appliances.\r\nMalware\r\nThis section details the malware that has been identified to date, and to assist in tracking, codenames for the malware have\r\nbeen assigned.\r\nSALTWATER\r\nSALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The\r\ncapabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy\r\nand tunneling capabilities.\r\nIdentified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances.\r\nThe backdoor is implemented using hooks on the send, recv, close syscalls and amounts to five components, most of which\r\nare referred to as “Channels” within the binary. In addition to providing proxying capabilities, these components exhibit\r\nbackdoor functionality.  The five (5) channels can be seen in the list below.\r\nDownloadChannel\r\nUploadChannel\r\nProxyChannel\r\nShellChannel\r\nTunnelArgs\r\nMandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families.\r\nTable 1 below provides the file metadata related to a SALTWATER variant.\r\nName SHA256\r\nmod_udp.so 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4\r\nMD5 File Type Size (Bytes)\r\n827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643\r\nTable 1: SALTWATER variant metadata\r\nSEASPY\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 17 of 31\n\nSEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as\r\na PCAP filter, specifically monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains backdoor functionality that\r\nis activated by a \"magic packet\".\r\nIdentified at path: /sbin/ on a subset of ESG appliances.\r\nMandiant analysis has identified code overlap between SEASPY and cd00r, a publicly available backdoor.\r\nTable 2 below provides the file metadata related to a SEASPY variant.\r\nName SHA256\r\nBarracudaMailService 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115\r\nMD5 File Type Size (Bytes)\r\n4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217\r\nTable 2: SEASPY variant metadata\r\nSEASIDE\r\nSEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands\r\nto receive a command and control (C2) IP address and port which it passes as arguments to an external binary that\r\nestablishes a reverse shell.\r\nTable 3 below provides the file metadata related to a SEASIDE.\r\nName SHA256\r\nmod_require_helo.lua fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8\r\nMD5 File Type Size (Bytes)\r\ncd2813f0260d63ad5adf0446253c2172 Lua module 2,724\r\nTable 3: SEASIDE metadata\r\nRecommendations For Impacted Customers\r\n1. Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda.\r\nContact Barracuda support (support@barracuda.com) to validate if the appliance is up to date.\r\n2. Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to\r\nobtain a new ESG virtual or hardware appliance.\r\n3. Rotate any applicable credentials connected to the ESG appliance:\r\no  Any connected LDAP/AD\r\no  Barracuda Cloud Control\r\no  FTP Server\r\no  SMB\r\no  Any private TLS certificates\r\n4. Review your network logs for any of the IOCs listed below and any unknown IPs.\r\nContact compliance@barracuda.com if any are identified.\r\nTo support customers in the investigations of their environments, we are providing a list of all endpoint and network\r\nindicators observed over the course of the investigation to date. We have also developed a series of YARA rules that can be\r\nfound in the section below.\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 18 of 31\n\nEndpoint IOCs\r\nTable 4 lists the endpoint IOCs, including malware and utilities, attributed to attacker activity during the investigation.\r\n       File Name   MD5 Hash Type \r\n1 appcheck.sh N/A Bash script\r\n2 aacore.sh N/A Bash script\r\n3 1.sh N/A Bash script\r\n4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8 SALTWATER Variant\r\n5 intent N/A N/A\r\n6 install_helo.tar 2ccb9759800154de817bf779a52d48f8 TAR Package\r\n7 intent_helo f5ab04a920302931a8bd063f27b745cc Bash script\r\n8 pd 177add288b289d43236d2dba33e65956 Reverse Shell\r\n9 update_v31.sh 881b7846f8384c12c7481b23011d8e45 Bash script\r\n10 mod_require_helo.lua cd2813f0260d63ad5adf0446253c2172 SEASIDE\r\n11 BarracudaMailService 82eaf69de710abdc5dea7cd5cb56cf04 SEASPY\r\n12 BarracudaMailService e80a85250263d58cc1a1dc39d6cf3942 SEASPY\r\n13 BarracudaMailService 5d6cba7909980a7b424b133fbac634ac SEASPY\r\n14 BarracudaMailService 1bbb32610599d70397adfdaf56109ff3 SEASPY\r\n15 BarracudaMailService 4b511567cfa8dbaa32e11baf3268f074 SEASPY\r\n16 BarracudaMailService a08a99e5224e1baf569fda816c991045 SEASPY\r\n17 BarracudaMailService 19ebfe05040a8508467f9415c8378f32 SEASPY\r\n18 mod_udp.so 1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant\r\n19 mod_udp.so 64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant\r\n20 mod_udp.so 4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant\r\nTable 4: Endpoint IOCs\r\nNetwork IOCs\r\nTable 5 lists the network IOCs, including IP addresses and domain names, attributed to attacker activity during the\r\ninvestigation.\r\n    Indicator ASN Location\r\n1 xxl17z.dnslog.cn N/A N/A\r\n2 mx01.bestfindthetruth.com N/A N/A\r\n3 64.176.7.59 AS-CHOOPA US\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 19 of 31\n\n4 64.176.4.234 AS-CHOOPA US\r\n5 52.23.241.105 AMAZON-AES US\r\n6 23.224.42.5 CloudRadium L.L.C US\r\n7 192.74.254.229 PEG TECH INC US\r\n8 192.74.226.142 PEG TECH INC US\r\n9 155.94.160.72 QuadraNet Enterprises LLC US\r\n10 139.84.227.9 AS-CHOOPA US\r\n11 137.175.60.253 PEG TECH INC US\r\n12 137.175.53.170 PEG TECH INC US\r\n13 137.175.51.147 PEG TECH INC US\r\n14 137.175.30.36 PEG TECH INC US\r\n15 137.175.28.251 PEG TECH INC US\r\n16 137.175.19.25 PEG TECH INC US\r\n17 107.148.219.227 PEG TECH INC US\r\n18 107.148.219.55 PEG TECH INC US\r\n19 107.148.219.54 PEG TECH INC US\r\n20 107.148.219.53 PEG TECH INC US\r\n21 107.148.219.227 PEG TECH INC US\r\n22 107.148.149.156 PEG TECH INC US\r\n23 104.223.20.222 QuadraNet Enterprises LLC US\r\n24 103.93.78.142 EDGENAP LTD JP\r\n25 103.27.108.62 TOPWAY GLOBAL LIMITED HK\r\n26 137.175.30.86 PEGTECHINC US\r\n27 199.247.23.80 AS-CHOOPA DE\r\n28 38.54.1.82 KAOPU CLOUD HK LIMITED SG\r\n29 107.148.223.196 PEGTECHINC US\r\n30 23.224.42.29 CNSERVERS US\r\n31 137.175.53.17 PEGTECHINC US\r\n32 103.146.179.101 GIGABITBANK GLOBAL HK\r\nTable 5: Network IOCs\r\nYARA Rules\r\nCVE-2023-2868\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 20 of 31\n\nThe following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868:\r\nrule M_Hunting_Exploit_Archive_2\r\n {\r\n     meta:\r\n         description = \"Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files\"\r\n         date_created = \"2023-05-26\"\r\n         date_modified = \"2023-05-26\"\r\n         md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n         version = \"1.0\"\r\n     strings:\r\n         $ustar = { 75 73 74 61 72 }\r\n         $b64_tmp = \"/tmp/\" base64\r\n     condition:\r\n         filesize \u003c 1MB and\r\n         $ustar at 257 and\r\n         for any i in (0 .. #ustar) : (\r\n             $b64_tmp in (i * 512 .. i * 512 + 250)\r\n         )\r\n }\r\nrule M_Hunting_Exploit_Archive_3\r\n {\r\n     meta:\r\n         description = \"Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files\"\r\n         date_created = \"2023-05-26\"\r\n         date_modified = \"2023-05-26\"\r\n         md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n         version = \"1.0\"\r\n     strings:\r\n         $ustar = { 75 73 74 61 72 }\r\n         $b64_openssl = \"openssl\" base64\r\n     condition:\r\n         filesize \u003c 1MB and\r\n         $ustar at 257 and\r\n         for any i in (0 .. #ustar) : (\r\n             $b64_openssl in (i * 512 .. i * 512 + 250)\r\n         )\r\n }\r\nrule M_Hunting_Exploit_Archive_CVE_2023_2868\r\n {\r\n     meta:\r\n         description = \"Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-\r\n2868\"\r\n         date_created = \"2023-05-26\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 21 of 31\n\ndate_modified = \"2023-05-26\"\r\n         md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n         version = \"1.0\"\r\n     strings:\r\n         $ustar = { 75 73 74 61 72 }\r\n         $qb = \"'`\"\r\n     condition:\r\n         filesize \u003c 1MB and\r\n         $ustar at 257 and\r\n         for any i in (0 .. #ustar) : (\r\n             $qb at (@ustar[i] + 255)\r\n         )\r\n }\r\nSALTWATER\r\nThe following three (3) YARA rule can be used to hunt for SALTWATER:\r\nrule M_Hunting_Linux_Funchook\r\n {\r\n     strings:\r\n         $f = \"funchook_\"\r\n         $s1 = \"Enter funchook_create()\"\r\n         $s2 = \"Leave funchook_create() =\u003e %p\"\r\n         $s3 = \"Enter funchook_prepare(%p, %p, %p)\"\r\n         $s4 = \"Leave funchook_prepare(..., [%p-\u003e%p],...) =\u003e %d\"\r\n         $s5 = \"Enter funchook_install(%p, 0x%x)\"\r\n         $s6 = \"Leave funchook_install() =\u003e %d\"\r\n         $s7 = \"Enter funchook_uninstall(%p, 0x%x)\"\r\n         $s8 = \"Leave funchook_uninstall() =\u003e %d\"\r\n         $s9 = \"Enter funchook_destroy(%p)\"\r\n         $s10 = \"Leave funchook_destroy() =\u003e %d\"\r\n         $s11 = \"Could not modify already-installed funchook handle.\"\r\n         $s12 = \"  change %s address from %p to %p\"\r\n         $s13 = \"  link_map addr=%p, name=%s\"\r\n         $s14 = \"  ELF type is neither ET_EXEC nor ET_DYN.\"\r\n         $s15 = \"  not a valid ELF module %s.\"\r\n         $s16 = \"Failed to protect memory %p (size=%\"\r\n         $s17 = \"  protect memory %p (size=%\"\r\n         $s18 = \"Failed to unprotect memory %p (size=%\"\r\n         $s19 = \"  unprotect memory %p (size=%\"\r\n         $s20 = \"Failed to unprotect page %p (size=%\"\r\n         $s21 = \"  unprotect page %p (size=%\"\r\n         $s22 = \"Failed to protect page %p (size=%\"\r\n         $s23 = \"  protect page %p (size=%\"\r\n         $s24 = \"Failed to deallocate page %p (size=%\"\r\n         $s25 = \" deallocate page %p (size=%\"\r\n         $s26 = \"  allocate page %p (size=%\"\r\n         $s27 = \"  try to allocate %p but %p (size=%\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 22 of 31\n\n$s28 = \"  allocate page %p (size=%\"\r\n         $s29 = \"Could not find a free region near %p\"\r\n         $s30 = \"  -- Use address %p or %p for function %p\"\r\n     condition:\r\n         filesize \u003c 15MB and uint32(0) == 0x464c457f and (#f \u003e 5 or 4 of ($s*))\r\n }\r\nrule M_Hunting_Linux_SALTWATER_1\r\n {\r\n     strings:\r\n         $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }\r\n         $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }\r\n     condition:\r\n         filesize \u003c 15MB and uint32(0) == 0x464c457f and any of them\r\n }\r\nrule M_Hunting_Linux_SALTWATER_2\r\n {\r\n     strings:\r\n         $c1 = \"TunnelArgs\"\r\n         $c2 = \"DownloadChannel\"\r\n         $c3 = \"UploadChannel\"\r\n         $c4 = \"ProxyChannel\"\r\n         $c5 = \"ShellChannel\"\r\n         $c6 = \"MyWriteAll\"\r\n         $c7 = \"MyReadAll\"\r\n         $c8 = \"Connected2Vps\"\r\n         $c9 = \"CheckRemoteIp\"\r\n         $c10 = \"GetFileSize\"\r\n         $s1 = \"[-] error: popen failed\"\r\n         $s2 = \"/home/product/code/config/ssl_engine_cert.pem\"\r\n         $s3 = \"libbindshell.so\"\r\n     condition:\r\n         filesize \u003c 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))\r\n }\r\nThe following SNORT rule can be used to hunt for SEASPY magic packets:\r\nalert tcp any any -\u003e any [25,587] (msg:\"M_Backdoor_SEASPY\"; flags:S; dsize:\u003e9; content:\"oXmp\"; offset:0; depth:4;\r\nthreshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)\r\nThe following SNORT rules require Suricata 5.0.4 or newer and can be used to hunt for SEASPY magic packets:\r\nalert tcp any any -\u003e any [25,587] (msg:\"M_Backdoor_SEASPY_1358\"; flags:S; tcp.hdr; content:\"|05 4e|\"; offset:22;\r\ndepth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)\r\nalert tcp any any -\u003e any [25,587] (msg:\"M_Backdoor_SEASPY_58928\"; flags:S; tcp.hdr; content:\"|e6 30|\"; offset:28;\r\ndepth:2; byte_test:4,\u003e,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)\r\nalert tcp any any -\u003e any [25,587] (msg:\"M_Backdoor_SEASPY_58930\"; flags:S; tcp.hdr; content:\"|e6 32|\"; offset:28;\r\ndepth:2; byte_test:4,\u003e,16777216,0,big,relative; byte_test:2,\u003e,0,0,big,relative; threshold:type limit,track by_src,count\r\n1,seconds 3600; sid:1000003; rev:1;)\r\nMAY 30th, 2023:\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 23 of 31\n\nPreliminary Summary of Key Findings\r\nBarracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to\r\nstrengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is\r\nongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise\r\n(IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments.\r\nTimeline\r\nOn May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway\r\n(ESG) appliances.\r\nOn May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation.\r\nOn May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance\r\n(ESG).\r\nOn May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide.\r\nOn May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized\r\naccess methods.\r\nA series of security patches are being deployed to all appliances in furtherance of our containment strategy.\r\nKey Findings\r\nWhile the investigation is still on-going, Barracuda has concluded the following:\r\nThe vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda\r\nproducts, including our SaaS email security services, were subject to the vulnerability identified.\r\nEarliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.\r\nBarracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.\r\nMalware was identified on a subset of appliances allowing for persistent backdoor access.\r\nEvidence of data exfiltration was identified on a subset of impacted appliances.\r\nUsers whose appliances we believe were impacted have been notified via the ESG user interface of actions to take.\r\nBarracuda has also reached out to these specific customers. Additional customers may be identified in the course of the\r\ninvestigation.\r\nCVE-2023-2868\r\nOn May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in\r\nthe Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability\r\nstemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within\r\nthe archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely\r\nexecuting a system command through Perl's qx operator with the privileges of the Email Security Gateway product.\r\nBarracuda's investigation to date has determined that a third party utilized the technique described above to gain\r\nunauthorized access to a subset of ESG appliances.\r\nMalware\r\nThis section details the malware that has been identified to date.\r\nSALTWATER\r\nSALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The\r\ncapabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy\r\nand tunneling capabilities.\r\nIdentified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances.\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 24 of 31\n\nThe backdoor is implemented using hooks on the send, recv, close syscalls and amounts to five components, most of which\r\nare referred to as “Channels” within the binary. In addition to providing backdoor and proxying capabilities, these\r\ncomponents exhibit classic backdoor functionality.  The five (5) channels can be seen in the list below.\r\nDownloadChannel\r\nUploadChannel\r\nProxyChannel\r\nShellChannel\r\nTunnelArgs\r\nMandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families. Table 1 below\r\nprovides the file metadata related to a SALTWATER variant.\r\nTable 1 below provides the file metadata related to a SALTWATER variant.\r\nName SHA256\r\nmod_udp.so 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4\r\nMD5 File Type Size (Bytes)\r\n827d507aa3bde0ef903ca5dec60cdec8 ELF x86 1,879,643\r\nTable 1: SALTWATER variant metadata\r\nSEASPY\r\nSEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as\r\na PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also contains backdoor functionality that is\r\nactivated by a \"magic packet\".\r\nIdentified at path: /sbin/ on a subset of ESG appliances.\r\nMandiant analysis has identified code overlap between SEASPY and cd00r, a publicly available backdoor.\r\nTable 2 below provides the file metadata related to a SEASPY variant.\r\nName SHA256\r\nBarracudaMailService 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115\r\nMD5 File Type Size (Bytes)\r\n4ca4f582418b2cc0626700511a6315c0 ELF x64 2,924,217\r\nTable 2: SEASPY variant metadata\r\nSEASIDE\r\nSEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands\r\nto receive a command and control (C2) IP address and port which it passes as arguments to an external binary that\r\nestablishes a reverse shell.\r\nTable 3 below provides the file metadata related to a SEASIDE.\r\nName SHA256\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 25 of 31\n\nmod_require_helo.lua fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8\r\nMD5 File Type Size (Bytes)\r\ncd2813f0260d63ad5adf0446253c2172 Lua module 2,724\r\nTable 3: SEASIDE metadata\r\nRecommendations For Impacted Customers\r\n1. Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda.\r\nContact Barracuda support (support@barracuda.com) to validate if the appliance is up to date.\r\n2. Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to\r\nobtain a new ESG virtual or hardware appliance.\r\n3. Rotate any applicable credentials connected to the ESG appliance:\r\no  Any connected LDAP/AD\r\no  Barracuda Cloud Control\r\no  FTP Server\r\no  SMB\r\no  Any private TLS certificates\r\n4. Review your network logs for any of the IOCs listed below and any unknown IPs.\r\nContact compliance@barracuda.com if any are identified.\r\nTo support customers in the investigations of their environments, we are providing a list of all endpoint and network\r\nindicators observed over the course of the investigation to date. We have also developed a series of YARA rules that can be\r\nfound in the section below.\r\nEndpoint IOCs\r\nTable 4 lists the endpoint IOCs, including malware and utilities, attributed to attacker activity during the investigation.\r\n       File Name   MD5 Hash Type \r\n1 appcheck.sh N/A Bash script\r\n2 aacore.sh N/A Bash script\r\n3 1.sh N/A Bash script\r\n4 mod_udp.so 827d507aa3bde0ef903ca5dec60cdec8 SALTWATER Variant\r\n5 intent N/A N/A\r\n6 install_helo.tar 2ccb9759800154de817bf779a52d48f8 TAR Package\r\n7 intent_helo f5ab04a920302931a8bd063f27b745cc Bash script\r\n8 pd 177add288b289d43236d2dba33e65956 Reverse Shell\r\n9 update_v31.sh 881b7846f8384c12c7481b23011d8e45 Bash script\r\n10 mod_require_helo.lua cd2813f0260d63ad5adf0446253c2172 SEASIDE\r\n11 BarracudaMailService 82eaf69de710abdc5dea7cd5cb56cf04 SEASPY\r\n12 BarracudaMailService e80a85250263d58cc1a1dc39d6cf3942 SEASPY\r\n13 BarracudaMailService 5d6cba7909980a7b424b133fbac634ac SEASPY\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 26 of 31\n\n14 BarracudaMailService 1bbb32610599d70397adfdaf56109ff3 SEASPY\r\n15 BarracudaMailService 4b511567cfa8dbaa32e11baf3268f074 SEASPY\r\n16 BarracudaMailService a08a99e5224e1baf569fda816c991045 SEASPY\r\n17 BarracudaMailService 19ebfe05040a8508467f9415c8378f32 SEASPY\r\n18 mod_udp.so 1fea55b7c9d13d822a64b2370d015da7 SALTWATER Variant\r\n19 mod_udp.so 64c690f175a2d2fe38d3d7c0d0ddbb6e SALTWATER Variant\r\n20 mod_udp.so 4cd0f3219e98ac2e9021b06af70ed643 SALTWATER Variant\r\nTable 4: Endpoint IOCs\r\nNetwork IOCs\r\nTable 5 lists the network IOCs, including IP addresses and domain names, attributed to attacker activity during the\r\ninvestigation.\r\n    Indicator ASN Location\r\n1 xxl17z.dnslog.cn N/A N/A\r\n2 mx01.bestfindthetruth.com N/A N/A\r\n3 64.176.7.59 AS-CHOOPA US\r\n4 64.176.4.234 AS-CHOOPA US\r\n5 52.23.241.105 AMAZON-AES US\r\n6 23.224.42.5 CloudRadium L.L.C US\r\n7 192.74.254.229 PEG TECH INC US\r\n8 192.74.226.142 PEG TECH INC US\r\n9 155.94.160.72 QuadraNet Enterprises LLC US\r\n10 139.84.227.9 AS-CHOOPA US\r\n11 137.175.60.253 PEG TECH INC US\r\n12 137.175.53.170 PEG TECH INC US\r\n13 137.175.51.147 PEG TECH INC US\r\n14 137.175.30.36 PEG TECH INC US\r\n15 137.175.28.251 PEG TECH INC US\r\n16 137.175.19.25 PEG TECH INC US\r\n17 107.148.219.227 PEG TECH INC US\r\n18 107.148.219.55 PEG TECH INC US\r\n19 107.148.219.54 PEG TECH INC US\r\n20 107.148.219.53 PEG TECH INC US\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 27 of 31\n\n21 107.148.219.227 PEG TECH INC US\r\n22 107.148.149.156 PEG TECH INC US\r\n23 104.223.20.222 QuadraNet Enterprises LLC US\r\n24 103.93.78.142 EDGENAP LTD JP\r\n25 103.27.108.62 TOPWAY GLOBAL LIMITED HK\r\nTable 5: Network IOCs\r\nYARA Rules\r\nCVE-2023-2868\r\nThe following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868:\r\nrule M_Hunting_Exploit_Archive_2\r\n {\r\n     meta:\r\n         description = \"Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files\"\r\n         date_created = \"2023-05-26\"\r\n         date_modified = \"2023-05-26\"\r\n         md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n         version = \"1.0\"\r\n     strings:\r\n         $ustar = { 75 73 74 61 72 }\r\n         $b64_tmp = \"/tmp/\" base64\r\n     condition:\r\n         filesize \u003c 1MB and\r\n         $ustar at 257 and\r\n         for any i in (0 .. #ustar) : (\r\n             $b64_tmp in (i * 512 .. i * 512 + 250)\r\n         )\r\n }\r\nrule M_Hunting_Exploit_Archive_3\r\n {\r\n     meta:\r\n         description = \"Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files\"\r\n         date_created = \"2023-05-26\"\r\n         date_modified = \"2023-05-26\"\r\n         md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n         version = \"1.0\"\r\n     strings:\r\n         $ustar = { 75 73 74 61 72 }\r\n         $b64_openssl = \"openssl\" base64\r\n     condition:\r\n         filesize \u003c 1MB and\r\n         $ustar at 257 and\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 28 of 31\n\nfor any i in (0 .. #ustar) : (\r\n             $b64_openssl in (i * 512 .. i * 512 + 250)\r\n         )\r\n }\r\nrule M_Hunting_Exploit_Archive_CVE_2023_2868\r\n {\r\n     meta:\r\n         description = \"Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-\r\n2868\"\r\n         date_created = \"2023-05-26\"\r\n         date_modified = \"2023-05-26\"\r\n         md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n         version = \"1.0\"\r\n     strings:\r\n         $ustar = { 75 73 74 61 72 }\r\n         $qb = \"'`\"\r\n     condition:\r\n         filesize \u003c 1MB and\r\n         $ustar at 257 and\r\n         for any i in (0 .. #ustar) : (\r\n             $qb at (@ustar[i] + 255)\r\n         )\r\n }\r\nSALTWATER\r\nThe following three (3) YARA rule can be used to hunt for SALTWATER:\r\nrule M_Hunting_Linux_Funchook\r\n {\r\n     strings:\r\n         $f = \"funchook_\"\r\n         $s1 = \"Enter funchook_create()\"\r\n         $s2 = \"Leave funchook_create() =\u003e %p\"\r\n         $s3 = \"Enter funchook_prepare(%p, %p, %p)\"\r\n         $s4 = \"Leave funchook_prepare(..., [%p-\u003e%p],...) =\u003e %d\"\r\n         $s5 = \"Enter funchook_install(%p, 0x%x)\"\r\n         $s6 = \"Leave funchook_install() =\u003e %d\"\r\n         $s7 = \"Enter funchook_uninstall(%p, 0x%x)\"\r\n         $s8 = \"Leave funchook_uninstall() =\u003e %d\"\r\n         $s9 = \"Enter funchook_destroy(%p)\"\r\n         $s10 = \"Leave funchook_destroy() =\u003e %d\"\r\n         $s11 = \"Could not modify already-installed funchook handle.\"\r\n         $s12 = \"  change %s address from %p to %p\"\r\n         $s13 = \"  link_map addr=%p, name=%s\"\r\n         $s14 = \"  ELF type is neither ET_EXEC nor ET_DYN.\"\r\n         $s15 = \"  not a valid ELF module %s.\"\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 29 of 31\n\n$s16 = \"Failed to protect memory %p (size=%\"\r\n         $s17 = \"  protect memory %p (size=%\"\r\n         $s18 = \"Failed to unprotect memory %p (size=%\"\r\n         $s19 = \"  unprotect memory %p (size=%\"\r\n         $s20 = \"Failed to unprotect page %p (size=%\"\r\n         $s21 = \"  unprotect page %p (size=%\"\r\n         $s22 = \"Failed to protect page %p (size=%\"\r\n         $s23 = \"  protect page %p (size=%\"\r\n         $s24 = \"Failed to deallocate page %p (size=%\"\r\n         $s25 = \" deallocate page %p (size=%\"\r\n         $s26 = \"  allocate page %p (size=%\"\r\n         $s27 = \"  try to allocate %p but %p (size=%\"\r\n         $s28 = \"  allocate page %p (size=%\"\r\n         $s29 = \"Could not find a free region near %p\"\r\n         $s30 = \"  -- Use address %p or %p for function %p\"\r\n     condition:\r\n         filesize \u003c 15MB and uint32(0) == 0x464c457f and (#f \u003e 5 or 4 of ($s*))\r\n }\r\nrule M_Hunting_Linux_SALTWATER_1\r\n {\r\n     strings:\r\n         $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }\r\n         $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }\r\n     condition:\r\n         filesize \u003c 15MB and uint32(0) == 0x464c457f and any of them\r\n }\r\nrule M_Hunting_Linux_SALTWATER_2\r\n {\r\n     strings:\r\n         $c1 = \"TunnelArgs\"\r\n         $c2 = \"DownloadChannel\"\r\n         $c3 = \"UploadChannel\"\r\n         $c4 = \"ProxyChannel\"\r\n         $c5 = \"ShellChannel\"\r\n         $c6 = \"MyWriteAll\"\r\n         $c7 = \"MyReadAll\"\r\n         $c8 = \"Connected2Vps\"\r\n         $c9 = \"CheckRemoteIp\"\r\n         $c10 = \"GetFileSize\"\r\n         $s1 = \"[-] error: popen failed\"\r\n         $s2 = \"/home/product/code/config/ssl_engine_cert.pem\"\r\n         $s3 = \"libbindshell.so\"\r\n     condition:\r\n         filesize \u003c 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))\r\n }\r\nMAY 23rd, 2023:\r\nBarracuda identified a vulnerability (CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A\r\nsecurity patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023. The\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 30 of 31\n\nvulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products,\r\nincluding our SaaS email security services, were subject to this vulnerability.\r\nWe took immediate steps to investigate this vulnerability. Based on our investigation to date, we’ve identified that the\r\nvulnerability resulted in unauthorized access to a subset of email gateway appliances. As part of our containment strategy, all\r\nESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have\r\nbeen notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.\r\nWe will continue actively monitoring this situation, and we will be transparent in sharing details on what actions we are\r\ntaking. Information gathering is ongoing as part of the investigation. We want to ensure we only share validated information\r\nwith actionable steps for you to take. As we have information to share, we will provide updates via this product status page\r\n(https://status.barracuda.com) and direct outreach to impacted customers. Updates are also located on Barracuda’s Trust\r\nCenter (https://www.barracuda.com/company/legal).\r\nBarracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted\r\ncustomers should review their environments and determine any additional actions they want to take.\r\nYour trust is important to us. We thank you for your understanding and support as we work through this issue and sincerely\r\napologize for any inconvenience it may cause. If you have any questions, please reach out to support@barracuda.com.\r\nSource: https://www.barracuda.com/company/legal/esg-vulnerability\r\nhttps://www.barracuda.com/company/legal/esg-vulnerability\r\nPage 31 of 31\n\n104.156.229.226 104.223.20.222 20473 8100 Choopa, LLC CloudVPS US US\n107.148.149.156 399195 Pegtechinc-ap-04 US\n107.148.219.227 54600 Peg Tech US\n  Page 3 of 31 \n\n$ustar at for any i 257 and in (0 .. #ustar) : ( \n$b64_tmp in (i * 512 .. i * 512 + 250) \n   Page 8 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.barracuda.com/company/legal/esg-vulnerability"
	],
	"report_names": [
		"esg-vulnerability"
	],
	"threat_actors": [
		{
			"id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843",
			"created_at": "2023-11-21T02:00:07.315543Z",
			"updated_at": "2026-04-10T02:00:03.461446Z",
			"deleted_at": null,
			"main_name": "UNC4841",
			"aliases": [
				"SLIME57"
			],
			"source_name": "MISPGALAXY:UNC4841",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433985,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71e113de64379fed0140155c9d94b81885ad3993.pdf",
		"text": "https://archive.orkl.eu/71e113de64379fed0140155c9d94b81885ad3993.txt",
		"img": "https://archive.orkl.eu/71e113de64379fed0140155c9d94b81885ad3993.jpg"
	}
}