[ad_1]
It’s not usually {that a} zero-day vulnerability causes a community safety vendor to induce clients to bodily take away and decommission a complete line of affected {hardware} — versus simply making use of software program updates. But consultants say that’s precisely what transpired this week with Barracuda Networks, as the corporate struggled to fight a sprawling malware menace which seems to have undermined its e-mail safety home equipment in such a basic means that they will now not be safely up to date with software program fixes.
The Barracuda Email Security Gateway (ESG) 900 equipment.
Campbell, Calif. based mostly Barracuda mentioned it employed incident response agency Mandiant on May 18 after receiving studies about uncommon site visitors originating from its Email Security Gateway (ESG) gadgets, that are designed to sit down on the fringe of a company’s community and scan all incoming and outgoing e-mail for malware.
On May 19, Barracuda recognized that the malicious site visitors was making the most of a beforehand unknown vulnerability in its ESG home equipment, and on May 20 the corporate pushed a patch for the flaw to all affected home equipment (CVE-2023-2868).
In its safety advisory, Barracuda mentioned the vulnerability existed within the Barracuda software program element accountable for screening attachments for malware. More alarmingly, the corporate mentioned it seems attackers first began exploiting the flaw in October 2022.
But on June 6, Barracuda instantly started urging its ESG clients to wholesale rip out and change — not patch — affected home equipment.
“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the corporate’s advisory warned. “Barracuda’s recommendation at this time is full replacement of the impacted ESG.”
Rapid7‘s Caitlin Condon referred to as this outstanding flip of occasions “fairly stunning,” and mentioned there seem like roughly 11,000 weak ESG gadgets nonetheless related to the Internet worldwide.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” Condon wrote.
Barracuda mentioned the malware was recognized on a subset of home equipment that allowed the attackers persistent backdoor entry to the gadgets, and that proof of information exfiltration was recognized on some methods.
Rapid7 mentioned it has seen no proof that attackers are utilizing the flaw to maneuver laterally inside sufferer networks. But which may be small comfort for Barracuda clients now coming to phrases with the notion that overseas cyberspies most likely have been hoovering up all their e-mail for months.
Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI), mentioned it’s probably that the malware was capable of corrupt the underlying firmware that powers the ESG gadgets in some irreparable means.
“One of the goals of malware is to be hard to remove, and this suggests the malware compromised the firmware itself to make it really hard to remove and really stealthy,” Weaver mentioned. “That’s not a ransomware actor, that’s a state actor. Why? Because a ransomware actor doesn’t care about that level of access. They don’t need it. If they’re going for data extortion, it’s more like a smash-and-grab. If they’re going for data ransoming, they’re encrypting the data itself — not the machines.”
In addition to changing gadgets, Barracuda says ESG clients also needs to rotate any credentials related to the equipment(s), and examine for indicators of compromise courting again to no less than October 2022 utilizing the community and endpoint indicators the corporate has launched publicly.