A critical vulnerability in Barracuda Networks’ email security gateway (ESG) devices now means all devices must now be replaced.
The order came directly from the security company this week which said devices should be replaced regardless of whether the zero-day vulnerability was patched.
Barracuda updated its security advisory and also communicated the instruction to customers via the user interface of their ESG devices.
“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said. “Impacted ESG appliances must be immediately replaced regardless of patch version level.”
Barracuda has not offered any further description as to why the devices must be fully replaced, but it may be due to the malware installed after exploiting the vulnerability allowing for persistent backdoor access for attackers.
The firm, which has more than 200,000 customers globally, has been engaging affected clients since news of the vulnerability emerged in late May.
Barracuda ESG vulnerability - what happened?
Last month, Barracuda said it detected “anomalous traffic” originating from its email security gateway appliances. A subsequent investigation identified a critical vulnerability exploit, tracked as CVE-2023-28681, in the appliance.
Initially, the company issued a patch to remediate the vulnerability for all ESG appliances globally. A script was deployed to contain the incident and prevent unauthorized access methods, Barracuda said.
RELATED RESOURCE
The (hard) key to stop phishing
How Cloudflare stopped a targeted attack and you can too
However, last week the company revealed that further analysis of the incident found the vulnerability had been actively exploited for several months before it was discovered and patched.
Barracuda said the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022”.
The vulnerability enabled threat actors to obtain “unauthorized access to a subset of ESG appliances”, it added. The company said that malware was identified on a subset of appliances, offering would-be attackers persistent backdoor access.
Two particular malware strains were uncovered by Barracuda during its post-mortem analysis of the incident.
The first was SALTWATER, a “trojanized module for the Barracuda SMTP daemon that contains backdoor functionality”.
The second malware strain, known as SEASPY, was also identified. SEASPY also offered attackers backdoor functionality with persistence, while disguising itself as a legitimate Barracuda Networks service.
No other Barracuda products, including its SaaS email security services, were affected by the vulnerability, Barracuda said.
ITPro approached Barracuda Networks for comment on the latest update.
-
HPE's new Cray system is a pocket powerhouseNews Hewlett Packard Enterprise (HPE) had unveiled new HPC storage, liquid cooling, and supercomputing offerings ahead of SC25
-
High performance and long battery life: How Dell AI PCs offer the best of both worldsUnlocking the true potential of on-device AI requires a perfect balance between software and hardware
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
