Barracuda Urges Changing — Not Patching — Its E-mail Safety Gateways – Krebs on Safety

It’s not usually {that a} zero-day vulnerability causes a community safety vendor to induce clients to bodily take away and decommission a complete line of affected {hardware} — versus simply making use of software program updates. However consultants say that’s precisely what transpired this week with Barracuda Networks, as the corporate struggled to fight a sprawling malware menace which seems to have undermined its e mail safety home equipment in such a basic approach that they will not be safely up to date with software program fixes.

The Barracuda E-mail Safety Gateway (ESG) 900 equipment.

Campbell, Calif. primarily based Barracuda mentioned it employed incident response agency Mandiant on Might 18 after receiving reviews about uncommon visitors originating from its E-mail Safety Gateway (ESG) gadgets, that are designed to take a seat on the fringe of a corporation’s community and scan all incoming and outgoing e mail for malware.

On Might 19, Barracuda recognized that the malicious visitors was making the most of a beforehand unknown vulnerability in its ESG home equipment, and on Might 20 the corporate pushed a patch for the flaw to all affected home equipment (CVE-2023-2868).

In its safety advisory, Barracuda mentioned the vulnerability existed within the Barracuda software program element answerable for screening attachments for malware. Extra alarmingly, the corporate mentioned it seems attackers first began exploiting the flaw in October 2022.

However on June 6, Barracuda all of a sudden started urging its ESG clients to wholesale rip out and exchange — not patch — affected home equipment.

“Impacted ESG home equipment have to be instantly changed no matter patch model stage,” the corporate’s advisory warned. “Barracuda’s advice at the moment is full alternative of the impacted ESG.”

Rapid7‘s Caitlin Condon known as this exceptional flip of occasions “pretty beautiful,” and mentioned there seem like roughly 11,000 weak ESG gadgets nonetheless linked to the Web worldwide.

“The pivot from patch to whole alternative of affected gadgets is pretty beautiful and implies the malware the menace actors deployed someway achieves persistence at a low sufficient stage that even wiping the gadget wouldn’t eradicate attacker entry,” Condon wrote.

Barracuda mentioned the malware was recognized on a subset of home equipment that allowed the attackers persistent backdoor entry to the gadgets, and that proof of information exfiltration was recognized on some techniques.

Rapid7 mentioned it has seen no proof that attackers are utilizing the flaw to maneuver laterally inside sufferer networks. However which may be small comfort for Barracuda clients now coming to phrases with the notion that overseas cyberspies in all probability have been hoovering up all their e mail for months.

Nicholas Weaver, a researcher at College of California, Berkeley’s Worldwide Pc Science Institute (ICSI), mentioned it’s possible that the malware was in a position to corrupt the underlying firmware that powers the ESG gadgets in some irreparable approach.

“One of many objectives of malware is to be laborious to take away, and this implies the malware compromised the firmware itself to make it actually laborious to take away and actually stealthy,” Weaver mentioned. “That’s not a ransomware actor, that’s a state actor. Why? As a result of a ransomware actor doesn’t care about that stage of entry. They don’t want it. In the event that they’re going for information extortion, it’s extra like a smash-and-grab. In the event that they’re going for information ransoming, they’re encrypting the information itself — not the machines.”

Along with changing gadgets, Barracuda says ESG clients also needs to rotate any credentials linked to the equipment(s), and examine for indicators of compromise courting again to at the least October 2022 utilizing the community and endpoint indicators the corporate has launched publicly.

Leave a Reply

Your email address will not be published. Required fields are marked *