Replace vulnerable hardware, says Barracuda after email gateway breach
Date: 9 June 2023
Cyber attacks, security incidents and data breaches are constantly in the news. But when a cybersecurity vendor itself gets compromised, it does make everyone stand up and notice.
Sadly, the enormity of the Barracuda email gateway security incident isn’t just limited to the name of the victim itself. It extends far beyond that to the fact that Barracuda is now advising customers to rip out vulnerable hardware - a huge ask, and a costly and news-making one at that.
In this blog, our experts try to decode everything that happened in this major cybersecurity news of 2023.
Our attempt is to break it down into simple-to-digest facts for everyone. As always, this exercise is purely educational and doesn’t intend to highlight or slight the victim.
What Exactly Happened in the Barracuda Cybersecurity Incident?
A little over two weeks ago, security stalwart, Barracuda Networks, announced that it had identified a vulnerability in its Email Security Gateway Appliance (ESG) on May 19, 2023.
The zero day vulnerability, a critical remote command injection flaw tracked as CVE-2023-2868, apparently affected a module in Barracuda’s Email Security Gateway for initial screening of attachments in incoming emails. This caused some email gateway appliances to be accessed by unauthorized parties.
Barracuda then deployed a security patch to all vulnerable ESG appliances worldwide on May 20 and applied a second patch on May 21. However, this was after an unspecified number of customers was already compromised due to the email gateway breach. The company reiterated that no other Barracuda products, including its SaaS email security services were impacted by this zero-day vulnerability.
Users whose appliances were believed to be impacted would have received notice via their ESG user interface. The actions for the customers included a review of their environments to determine if they needed to take any further steps.
On May 30, 2023, Barracuda revealed that the vulnerability has actually been exploited for 7 months since October 2022. Attackers have probably had illicit access to "a subset of ESG appliances” and have deployed backdoors to ensure prolonged access to the affected systems
Latest Developments for Email Security Gateway (ESG) Appliances
On June 6, however, Barracuda published an ‘action notice’. It began urging its customers to rip out affected ESG appliances as just fixing them with patches wasn’t going to work. Experts have called this development “stunning”. It is estimated that there are about 11,000 Barracuda ESG appliances on the internet.
Many have suggested that Barracuda’s latest directive suggests that the malware has managed to achieve persistence at a low enough level that even cleaning the device won’t rid it of criminal access.
The three types of malware discovered on hacked Barracuda appliances are SaltWater, SeaSpy, and SeaSide.
To help its customers deal with the situation better, Barracuda is providing customers with assistance to deal with the current situation by releasing Indicators of compromise (IoCs) for both endpoints and networks. It is also sharing Yara rules that can be used for threat hunting.
Barracuda has also said that apart from replacing hardware, impacted customers should review their affected appliances for signs of compromise since October 2022 at least.
On June 8, the government of the Australian Capital Territory (ACT) said that it has become one of the victims of the vulnerability found in Barracuda's ESG appliances. The government spokesperson added that there is a chance that personal information may have been compromised but they're conducting a complete investigation to ascertain that.
Could This Have Been Avoided/What Can Barracuda Customers Do Now?
Our CEO and Global CISO, Amar Singh, shares some expert advice for the affected organisations:
- Carefully read and understand what the vendor is advising and engage your reseller or service provider to ensure you do exactly what Barracuda is recommending.
- Don't leave the doors open! - Consequently, there is little choice but to replace the existing hardware with new Barracuda equipment.
- Don't Rush it - Please don't go buying equipment/solutions from other vendors. This 'attack' can happen to anyone.
- Such cybersecurity incidents highlight the need for always, always being prepared for the worst. Make sure (even if you aren't affected by this particular incident) that you always have your cyber incident response plans and incident response playbooks in order. Get help if you need to review and update them but always be ready. Like we said earlier - This could happen to anyone! Your best defence is being prepared!
Recent Cyber Attacks in 2023
At Cyber Management Alliance, we regularly create material about the most recent cyber-attacks, ransomware, and data breaches. We also gather information about new malware and vulnerabilities, as well as released security patches.
Our goal is to keep our readers up to date so they can quickly identify any potential security risks and take the necessary precautions. Additionally, you can read our blog on some of the most discussed cyber-attacks of 2023 to gain a better understanding of the current cyber threats and the strategies of malicious actors.
Do bookmark our site for more such updates. We will also keep our readers updated on other important information on the Barracuda cyber incident as the news unfolds in the public domain.