It’s not typically {that a} zero-day vulnerability causes a community safety vendor to induce prospects to bodily take away and decommission a complete line of affected {hardware} — versus simply making use of software program updates. But specialists say that’s precisely what transpired this week with Barracuda Networks, as the corporate struggled to fight a sprawling malware menace which seems to have undermined its e mail safety home equipment in such a basic manner that they’ll now not be safely up to date with software program fixes.
Campbell, Calif. based mostly Barracuda mentioned it employed incident response agency Mandiant on May 18 after receiving stories about uncommon site visitors originating from its Email Security Gateway (ESG) units, that are designed to sit down on the fringe of a company’s community and scan all incoming and outgoing e mail for malware.
On May 19, Barracuda recognized that the malicious site visitors was making the most of a beforehand unknown vulnerability in its ESG home equipment, and on May 20 the corporate pushed a patch for the flaw to all affected home equipment (CVE-2023-2868).
In its safety advisory, Barracuda mentioned the vulnerability existed within the Barracuda software program element chargeable for screening attachments for malware. More alarmingly, the corporate mentioned it seems attackers first began exploiting the flaw in October 2022.
But on June 6, Barracuda all of a sudden started urging its ESG prospects to wholesale rip out and substitute — not patch — affected home equipment.
“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the corporate’s advisory warned. “Barracuda’s recommendation at this time is full replacement of the impacted ESG.”
In an announcement, Barracuda mentioned it will likely be offering the alternative product to impacted prospects for free of charge, and that not all ESG home equipment had been compromised.
“No other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability,” the corporate mentioned. “If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time.”
Nevertheless, the assertion says that “out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance.”
“As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability,” the assertion continues. “Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.”
Rapid7‘s Caitlin Condon known as this exceptional flip of occasions “fairly stunning,” and mentioned there look like roughly 11,000 susceptible ESG units nonetheless related to the Internet worldwide.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” Condon wrote.
Barracuda mentioned the malware was recognized on a subset of home equipment that allowed the attackers persistent backdoor entry to the units, and that proof of information exfiltration was recognized on some methods.
Rapid7 mentioned it has seen no proof that attackers are utilizing the flaw to maneuver laterally inside sufferer networks. But that could be small comfort for Barracuda prospects now coming to phrases with the notion that international cyberspies in all probability have been hoovering up all their e mail for months.
Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI), mentioned it’s probably that the malware was capable of corrupt the underlying firmware that powers the ESG units in some irreparable manner.
“One of the goals of malware is to be hard to remove, and this suggests the malware compromised the firmware itself to make it really hard to remove and really stealthy,” Weaver mentioned. “That’s not a ransomware actor, that’s a state actor. Why? Because a ransomware actor doesn’t care about that level of access. They don’t need it. If they’re going for data extortion, it’s more like a smash-and-grab. If they’re going for data ransoming, they’re encrypting the data itself — not the machines.”
In addition to changing units, Barracuda says ESG prospects also needs to rotate any credentials related to the equipment(s), and verify for indicators of compromise relationship again to no less than October 2022 utilizing the community and endpoint indicators the corporate has launched publicly.
Update, June 9, 11:55 a.m. ET: Barracuda has issued an up to date assertion concerning the incident, parts of which are actually excerpted above.
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : Hacker News – https://krebsonsecurity.com/2023/06/barracuda-urges-replacing-not-patching-its-email-security-gateways/