Barracuda Networks, a prominent network security vendor, has urged customers to physically decommission a line of affected hardware after it faced an ongoing malware threat which has rendered its email security appliances irreparable through software fixes. The company hired an incident response firm, Mandiant, after receiving reports of unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to scan all incoming and outgoing email for malware. On May 19, Barracuda reported that the malicious traffic was exploiting a previously unknown vulnerability in its ESG appliances. On May 20, the company released a patch to all affected appliances.
In its advisory, Barracuda identified that the vulnerability existed in the Barracuda software component responsible for screening attachments for malware and stated that attackers appeared to have first exploited the flaw in October 2022. However, on June 6, Barracuda urged its ESG customers to replace the affected appliances rather than patch them. The company’s advisory warned that “impacted ESG appliances must be immediately replaced regardless of patch version level,” and the company has reportedly identified roughly 11,000 vulnerable ESG devices still connected to the internet worldwide.
Caitlin Condon, a researcher from Rapid7, called the situation “fairly stunning,” and explained that the pivot from patching the vulnerabilities to total replacement of affected devices implies that the malware comes with a low level of persistence. Wiping the device fails to remove malware once it has infiltrated that level, according to Condon. Moreover, Barracuda uncovered evidence of data exfiltration on some devices that allowed attackers persistent backdoor access to the devices, and Nicholas Weaver, a researcher from the International Computer Science Institute (ICSI), predicted that the malware was able to corrupt the firmware, making it next to impossible to remove.
Weaver suggested a state actor was responsible for the malware, as a ransomware actor would have no interest in that level of access. The compromised firmware makes the malware much harder to remove and stealthier, which is a tactic adopted by large-scale cyberattacks, and thus it is probable that foreign cybercriminals have been hoovering up all email communications for months.
In response to the situation, Barracuda advised its ESG customers to replace affected devices, rotate all connected credentials, and check for any signs of compromise dating back to at least October 2022. The company has also released network and endpoint indicators publicly to assist its customers in handling the situation.