The Week in Security: Barracuda email flaw left open for months, calls for AI governance turn existential

This week: Barracuda’s Email Security Gateway had an undetected flaw, which was abused by hackers for months. Also: Could AI bring on an "extinction event?"

This Week’s Top Story

A flaw in Barracuda’s email security gateway was exploited by hackers for months

Barracuda, an enterprise security firm, disclosed this past Tuesday that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances has been abused by hackers to backdoor the company’s devices for the past seven months. The critical vulnerability, CVE-2023-2868, has been exploited by these threat actors since October 2022 and wasn’t identified by Barracuda until May 19, 2023. Patches for the flaw were released by Barracuda on May 20 and 21.

The flaw, which impacts versions 5.1.3.001 through 9.2.0.006, allows a remote attacker to achieve code execution on susceptible installations. Barracuda identified that attackers executed malware on a subset of appliances, and also found that data was exfiltrated on a subset of appliances. To date, three malware strains have been found on impacted appliances: SALTWATER, SEASPY, and SEASIDE, and each of them exhibits one or more malicious functions.

Mandiant has been investigating the incident, and has found that one of the strains’ source code, SEASPY, overlaps with an open source backdoor called cd00r. At this time, Mandiant and Barracuda have not attributed the attacks to any known threat actors. Barracuda also did not disclose how many organizations were breached as a result of the flaw, but assured that the investigation into the incident is ongoing.

News Roundup

Here are the stories we’re paying attention to this week…

Avoiding potential ‘extinction event’ from AI requires action, US official says (ABC News)

A top U.S. official for cybersecurity said Wednesday that humanity could be at risk of an "extinction event" if tech companies fail to self-regulate and work with the government to reign in the power of artificial intelligence.

Critical firmware vulnerability in Gigabyte Systems exposes 7 million devices (The Hacker News)

Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an insecure format.

Toyota finds more misconfigured servers leaking customer info (Bleeping Computer)

Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners' personal information for over seven years. This finding came after the Japanese carmaker conducted a thorough investigation on all cloud environments managed by Toyota Connected Corporation after previously discovering a misconfigured server that exposed the location data of over 2 million customers for ten years.

SAS Airlines hit by $3 million ransom demand following DDoS attacks (Graham Cluley)

Scandinavian Airlines (SAS) has received a US $3 million ransom demand following a prolonged campaign of distributed denial-of-service (DDoS) attacks against its online services. The Anonymous Sudan hacktivist group published their financial demand on its Telegram channel after disrupting the airline's website and smartphone app.

Dark Pink hackers continue to target government and military organizations (Bleeping Computer)

The Dark Pink APT hacking group continues to be very active in 2023, observed targeting government, military, and education organizations in Indonesia, Brunei, and Vietnam. The threat group has been active since at least mid-2021, primarily targeting entities in the Asia-Pacific region, but it wasn’t exposed until January 2023.