Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
At Cyber Management Alliance, Incident Response and Ransomware Mitigation is our passion. We study and analyse cyber-attacks and ransomware attacks to create informational visual timelines which can be easily read for educational purposes and to enhance cyber resilience.
For the Barracuda Email Security Gateway Hack, we have created a visual timeline and an accompanying detailed report. Download it now.
Read our blog on the Barracuda Email Gateway Breach.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
Barracuda Networks, a California-based security vendor, disclosed in May 2023 that a critical vulnerability in its Email Security Gateway (ESG) appliances had been exploited by attackers to gain unauthorised access to a subset of customers' devices. The flaw, tracked as CVE-2023-2868, had reportedly been exploited since around October 2022 - roughly seven months before discovery - and was used to deploy custom backdoor malware and, in at least some cases, to steal data. The incident was notable because Barracuda ultimately told affected customers to physically replace their appliances rather than rely on patches, and investigators attributed the campaign to a suspected China-linked espionage group.
The vulnerability was reportedly first exploited around October 2022, with malicious activity also observed in November 2022, but it was not discovered until May 2023 - meaning the attackers had access for roughly seven months. Barracuda was alerted to anomalous traffic on 18 May 2023, identified the CVE-2023-2868 vulnerability on 19 May, and applied patches on 20 and 21 May 2023. Further disclosures, malware analysis, the replace-your-appliance advisory and the China attribution followed through late May, June and into July 2023.
The cybersecurity firm Mandiant, which investigated the incident, attributed the campaign with high confidence to a suspected China-nexus espionage actor it tracks as UNC4841, assessing that it acted in support of the People's Republic of China. Mandiant described it as a wide-ranging espionage campaign spanning multiple regions and sectors. A spokesperson for the Chinese Embassy in Washington rejected the allegations, saying China opposes all forms of cyber hacking. The attribution is Mandiant's assessment rather than a formally confirmed, government-level finding.
CVE-2023-2868 is a critical remote command injection vulnerability affecting Barracuda's Email Security Gateway (ESG) appliances - specifically the physical/appliance form factor. The flaw existed in a module that screens the attachments of incoming emails, and it allowed attackers to gain unauthorised access to affected devices. Barracuda confirmed that no other Barracuda products, including its SaaS email security services, were subject to this particular vulnerability. The US cybersecurity agency CISA added CVE-2023-2868 to its catalogue of known exploited vulnerabilities after evidence of active exploitation.
Attackers exploited the CVE-2023-2868 flaw in the ESG email-attachment-screening module to gain unauthorised access and deploy backdoor malware that gave them persistent access to compromised appliances. Investigators found the attackers were able to make deep changes - reportedly down to the device firmware - which is why patching alone was considered insufficient. The compromise was assessed as being limited to the ESG appliances themselves; Barracuda advised customers to confirm the attackers had not moved laterally to other devices on their networks, and Rapid7 said it had not observed lateral movement, though it noted potential data exfiltration in at least one case.
Investigators identified several previously unknown malware strains built specifically for compromised ESG appliances. These included Saltwater, a trojanised Barracuda SMTP daemon (bsmtpd) module providing backdoor access, command execution, file transfer and traffic tunnelling; SeaSpy, a persistence backdoor that can be activated using 'magic packets' and monitors SMTP (port 25) traffic, with code overlapping the publicly available cd00r backdoor; and SeaSide, a bsmtpd module used to establish reverse shells via SMTP HELO/EHLO commands sent through the attackers' command-and-control server.
Barracuda said it had found evidence that the threat actors stole information from backdoored ESG appliances, and Rapid7 reported that, in at least one case, outbound network traffic indicated potential data exfiltration. The full scope of stolen data was not publicly quantified. Separately, the Australian Capital Territory (ACT) government - which identified itself as a victim - said it was likely that some personal information was involved, pending a harms assessment. The espionage nature of the campaign suggests the attackers were primarily interested in access and information rather than financial gain.
In an unusual move that experts described as 'stunning', Barracuda advised affected customers on 6 June 2023 that impacted ESG appliances had to be fully replaced 'regardless of patch version level', rather than simply patched. Investigators believed the attackers had made deep changes - potentially to the device firmware - that a patch might not fully remove, so replacement was the only way to be certain a compromise was eradicated. Customers were also advised to rotate any credentials connected to the appliance, including LDAP/AD, Barracuda Cloud Control, FTP, SMB and private TLS certificates.
Barracuda did not publicly disclose the exact number of affected customers. As of 8 June 2023, the company said that approximately 5% of active ESG appliances worldwide had shown evidence of known indicators of compromise. Barracuda has more than 200,000 organisations using its products globally, but only a subset of physical ESG appliances were affected by this specific vulnerability. The Australian Capital Territory government was one organisation that publicly identified itself as a victim.
On being alerted to anomalous traffic on 18 May 2023, Barracuda engaged Mandiant to investigate, identified the vulnerability on 19 May, and applied a remediation patch to all ESG appliances worldwide on 20 May, followed by a containment script on 21 May. It notified impacted customers through the ESG user interface and reached out to them directly. As the investigation deepened, it issued the unusual advisory to replace affected appliances entirely. CISA also warned organisations and added the flaw to its known-exploited-vulnerabilities catalogue.
The Australian Capital Territory (ACT) government, which governs Canberra, publicly identified itself as a victim of the zero-day attacks. It launched an investigation after Barracuda's disclosure, rebuilt the affected system and confirmed a breach had occurred, later saying it was likely that some personal information was involved, subject to a harms assessment. Barracuda did not publicly name other affected customers, and being a Barracuda customer did not mean an organisation was breached - only a subset of ESG appliances showed indicators of compromise.
The Barracuda incident is a clear example of security-appliance and supply-chain risk: even a trusted security product can become the entry point for a sophisticated, long-dwell espionage campaign. The key lessons are that edge and security appliances need monitoring and incident-response planning just like any other asset; that long attacker dwell time (around seven months here) shows the value of proactive threat hunting and detection; that some compromises run so deep that replacement, not patching, is the only safe remediation; and that credential rotation and network segmentation limit how far an attacker can spread. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.