Barracuda Says Hacked ESG Appliances Must be Replaced Immediately

Cyber Security Threat Summary:
Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in a Tuesday update to the initial advisory. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." (Bleeping Computer, 2023).

Barracuda has been contacting impacted customers through the ESG’s user interface and via email, and is urging customers who haven’t replaced their devices to do so immediately. Attackers have been abusing CVE-2023-2868 for several months. A patch was issued remotely on May 20th, which removed the attackers access to the device.

Security Officer Comments:
It is still unclear why a full replacement of the ESG products are required. It is possible custom malware could be especially persistent, surviving remote attempts to remove it. If the firmware was altered, it could render updates impossible via traditional means. It may be easier and safer for Barracuda to ask customers to replace products, than it would be to manually restore impacted products. Because the product is under active attack, there may not be a fast enough process to safely remediate impacted products, without causing extreme risk to customer networks.

This ESG vulnerability has been exploited as a zero-day for at least seven months prior to it’s discovery and disclosure. Threat actors have been using the vulnerability to backdoor customer ESG appliances with customer malware and to steal data.

“It was first used in October 2022 to breach "a subset of ESG appliances" and install malware which provided the attackers with persistent access to the compromised devices. They deployed Saltwater and SeaSpy malware to backdoor the infected appliances and a malicious tool dubbed SeaSide to establish reverse shells for easy remote access via SMTP HELO/EHLO commands. Subsequently, the threat actors took advantage of their access to steal information from the backdoored appliances” (Bleeping Computer, 2023).

Suggested Correction(s):
CISA also added the CVE-2023-2868 vulnerability to its catalog of bugs exploited in attacks, warning federal agencies with ESG appliances to check their networks for evidence of breaches.

Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.

Link(s):
https://www.barracuda.com/company/legal/esg-vulnerability
https://www.bleepingcomputer.com/