Barracuda tells customers to rip out vulnerable hardware as experts size up the damage
Cybersecurity experts are continuing to investigate the exploitation of a bug on some Barracuda Networks hardware after the company sent an urgent notice this week telling customers to immediately decommission and replace all instances of the technology.
The company had recently reported that users could successfully patch vulnerable Email Security Gateway (ESG) appliances, but it posted an update this week saying the hardware “must be immediately replaced regardless of patch version level.”
“If you have not replaced your appliance after receiving notice in your UI, contact support now ([email protected]). Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said.
Barracuda said the footprint of the incident appears to be limited. As of Thursday, "approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability," according to a statement from a company representative.
The Cybersecurity and Infrastructure Security Agency warned federal agencies and the public two weeks ago that a vulnerability tracked as CVE-2023-2868 was being exploited by hackers to remotely execute system commands.
Barracuda reported in May that it pushed out two separate patches to ESG units to fix a flaw “in a module which initially screens the attachments of incoming emails.”
On Thursday afternoon, cybersecurity firm Rapid7 said its incident response teams are currently investigating the exploitation of ESG appliances dating back to at least November 2022.
The company’s teams have identified malicious activity “with the most recent communication with threat actor infrastructure observed in May 2023.”
“In at least one case, outbound network traffic indicated potential data exfiltration,” Rapid7 senior manager of vulnerability research Caitlin Condon said in a notice.
“ESG appliance users should check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators Barracuda has released publicly.”
Vulcan Cyber’s Mike Parkin said the switch from patching to entirely replacing devices was likely made because investigations uncovered that hackers were able to make deeper changes to the firmware on the device that a simple patch might not easily or fully correct.
By replacing the kit, Barracuda can be absolutely sure users have eradicated a potential compromise, he explained, but he noted that without seeing the results of the company’s investigation it was hard to know why they made the switch.
“Ultimately, once an attacker gets sufficient privilege on an appliance, it can be difficult to dislodge them, especially if you are writing centrally distributed scripts that are discussed on the open web,” said Netenrich principal threat hunter John Bambenek, noting that the devices serve as an easy beachhead for what hackers will do next.
“The attackers are paying attention and making it difficult to remove them. Luckily, since we are talking about virtual appliances, all that really needs to be done is to provision and configure a fresh virtual appliance and delete the old one,” Bambenek said “Those using hardware appliances will have a difficult road ahead of them as they need to get a new device to replace it with.”
Barracuda said it initially was alerted to anomalous traffic originating from ESG appliances on May 18 and hired security firm Mandiant to investigate the issue before CVE-2023-2868 was discovered.
The advisory notes several strains of malware that have been used during the exploitation of the bug, including three labeled as Saltwater, SeaSpy and Seaside. They give hackers a backdoor into compromised systems and allow them to take a range of actions against victim networks.
This story was updated 11:45 a.m. on June 9, 2023, with additional information from Barracuda Networks.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.