The IT Nerd

Researchers have discovered Gabagool PhaaS attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.

The details are here: https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks

The technique involves splitting the QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code.

Barracuda threat analysts recently found Gabagool attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.

Erich Kron, Security Awareness Advocate at KnowBe4, commented:

“The inclusion of tricky little QR codes in some of the phishing kits or phishing services is indicative of the advancement of attacks, even at the commodity level. What might have been expected from a nation state has now made its way into low cost pay-to-play cyber tools and services. QR codes provide a somewhat unique challenge as many individuals are not aware that they can be weaponized, and many mobile devices do not actually show you the URL it is taking you to, but rather simply ask if you want to open the link in the browser.

“It has always been more difficult to view some threats on mobile devices because the limited screen real estate means that things such as the URL bar in a browser may be hidden from view unless a person intentionally looks for it. In addition, mobile devices tend to connect through cellular services, or unsecured Wi-Fi networks like those in restaurants, airports, hotels, and other public places. This means many security tools that can help keep organization-owned computers safe on the corporate network, are not applied to mobile devices. When on the road, people are far more likely to browse the Internet without the use of a VPN on phones and tablets compared to when they use laptops, losing the security controls available through VPN monitoring.

“The attack itself is fairly common, sending a user to a website designed to look like a legitimate login portal. This is not a novel attack and is a part of many phishing kits or phishing services, but the delivery method of splitting QR codes into multiple images or embedding them within each other to bypass filters is clever and can make things difficult for email filters to spot. Once an attacker steals the credentials of cloud services such as Microsoft 365 or Google, it makes it very easy for them to access email accounts which contain sensitive information, or use those accounts to attack others. Attacks like this highlight the importance of having a comprehensive Human Risk Management (HRM) program in place within organizations. When people are aware of these types of fake login portals, it becomes very easy to spot the fakes, even if the emails are able to get past the technology. The use of MFA can mitigate some of the risk; however many types of MFA are vulnerable to being bypassed, making the inconvenience for attackers minimal.”

QR Code based attacks have been around for a while. But clearly they are evolving. Which means that you have to be more careful than ever to not be a victim of one.

You might recall that I posted a story about Barracuda ESG appliances that require full unit replacements because of the the fact that they had an extremely serous flaw that is basically unpatchable.

I had forgotten about this story until I saw this from the FBI:

Through an investigation of the Barracuda ESG appliance compromise, the FBI discovered additional indicators of compromise as well as independently verified many of the indicators of compromise in the public domain. Barracuda customers should remove all ESG appliances immediately. The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit. In addition, customers should further investigate for any further compromise by conducting scans for outgoing connections using the list of indicators provided as the malicious cyber actors have demonstrated the ability to compromise email accounts and computer networks, as well as maintain persistence in victim networks for continued future operations and data exfiltration. Customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices. Investigation steps may include:

• Review email logs to identify the initial point of exposure;
• Revoke and rotate all domain-based and local credentials that were on the ESG at thetime of compromise;
• Revoke and reissue all certificates that were on the ESG at the time of compromise
• Monitor entire network for the use of credentials that were on the ESG at the time ofcompromise;
• Review network logs for signs of data exfiltration and lateral movement;
• Capture forensic image of the appliance and conduct a forensic analysis.

This is pretty bad. Both for Barracuda customers and for Barracuda’s reputation. The fact that the FBI is now saying to rip Barracuda appliances out of production isn’t good and illustrates how bad this flaw is. Thus if you have one of these appliances, and you didn’t rip it out in June, you need to do so now.

I recently told you about an extremely serious vulnerability with Barracuda’s Email Security Gateway Appliance (ESG) that has alarm bells ringing all over Hell’s half acre.

Barracuda has a full description of the incident so far in their advisory, including extensive indicators of compromise, additional vulnerability details, and information on the backdoored module for Barracuda’s SMTP daemon. Now this I give Barracuda credit for as there’s a lot of detail here so that if you have one of these ESG Appliances, you can in theory address any vulnerabilities quickly and effectively. But at the same time that document says this right at the top of it:

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).  

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG. 

That’s right. You need to replace your ESG Appliance to address this actively exploited vulnerability. Even if you’ve patched it. I’ve been in this space for over 25 years and I have never, ever seen a recommendation like this before. The only reason that I can come up with for this recommendation is that whatever threat actor did this has managed to gain persistence on the device. Or put into layman’s terms, they’ve pitched the tent, started the campfire, and built a very high wall around the campsite along with a moat that would make it next to impossible to get them out. That’s the holy grail for any threat actor and that’s really, really, bad if you have an ESG Appliance.

Here’s the problem with that, replacing devices wholesale isn’t something that can be scaled to a level that Barracuda customers can work with as we are not talking about a consumer router that can be reconfigured in an hour or less. We’re talking about an email gateway that is actively scanning for email based threats, and in today’s world not only can’t be out of service for a lengthy period, but these sorts of appliances are often tied into a much larger security setup that company have. And you have to wonder if Barracuda can scale to meet the demands of customers who are going to email them with requests to replace this gear quickly. As in next day or same day replacements in some cases. This is a very bad situation and I am sure this is going to cost Barracuda some customers. Because even though there are exploits out there that threaten everyone, this is above and beyond anything that I have ever seen before. And that will make some of Barracuda’s customers wonder if the company was asleep at the switch when it came to the security of their devices.

Barracuda’s Email Security Gateway Appliance has a vulnerability that is so serious, that even the CISA is wanting Federal Agencies to patch it right away. That’s because there are reports that this vulnerability has been exploited. Which is of course a bad thing.

Here’s what Joe Saunders, CEO, RunSafe Security had to say on this:

“As attackers gain persistent access and start to move laterally, they likely will need a memory-based exploit to complete the attack. The time is now for industry to stop chasing patches and start deploying exploit prevention even when a patch is not available.”

The bottom line is that those with Barracuda ESG’s need to patch them ASAP to keep the bad guys out. Seeing as this is a clear and present danger, not doing that is asking for trouble.