Barracuda’s Directive to Replace, Not Patch, Email Security Gateway Appliances

Would your organization be able to quickly pivot to remediate a zero-day vulnerability in one of your security appliances?

Recently, Barracuda, a well-known storage, security and networking products company, has come under scrutiny for complex vulnerabilities discovered in their Email Security Gateway Appliance (ESG). Currently, Barracuda is recommending appliance replacement in certain situations, and whether you’re a Barracuda customer or not, there are some important lessons for consideration when exploring the events that occurred.

The Details

On May 18th, 2023, Barracuda was alerted to anomalous traffic coming from their Email Security Gateway appliances. Barracuda engaged Mandiant to assist in investigating the traffic. They quickly identified a zero-day vulnerability in their ESG appliances, CVE-2023-2868.

They also determined that a third party had been using the vulnerability to gain unauthorized access to ESG appliances. Barracuda quickly developed and released patches for the affected appliances, but also determined that malware allowing persistent backdoor access was present on a subset of the affected appliances. In addition, evidence of data exfiltration was found on some compromised appliances. The earliest evidence of this vulnerability exploitation goes back to October 2022.

Barracuda has attempted to be transparent with their customers over the course of the continuing investigation and has published the currently known Indicators of Compromise as well as Yara and Snort detection rules on their website. The investigation is still ongoing, but Barracuda has stated that they believe the vulnerability was exploited by “an aggressive and highly skilled actor,” identified by Mandiant as UNC4841, as part of a targeted information-gathering campaign.

Barracuda’s Guidance

Barracuda states on their website that “Impacted ESG appliances must be immediately replaced regardless of patch version level,” and that their remediation recommendation for the compromised ESG appliances “continues to be replacement of the compromised ESG.” It is important to note that currently, only some ESG appliances have shown known indicators of compromise, which is flagged via a message in the appliance’s User Interface. If you receive a message in the User Interface alerting you of compromise and have not yet replaced the appliance, you can contact Barracuda support at [email protected] to get a new ESG virtual or hardware appliance. Additionally, Barracuda recommends rotating any applicable credentials connected to the ESG appliance, including LDAP/Active Directory, Barracuda Cloud Control, FTP server credentials, SMB, and any private TLS certificates.

Why It Matters

While the investigation currently suggests that only a subset of ESG appliances were compromised, the level of compromise achieved was likely enough for the threat actor to maintain access even if the device was factory reset.  This conclusion is reinforced when reflecting on the change in guidance given by Barracuda and Mandiant from simply patching to completely replacing the compromised appliances. The investigation shows this zero-day was first exploited in October 2022, which means the threat actor may have been exfiltrating data from their targets for a significant period.

Risk Management

As part of risk management, everyone should be performing due diligence before making security appliance purchases. However, despite all the pre-purchase research, data gathering, and risk measurements, we have no control over unknown zero-day vulnerabilities or vulnerabilities that are discovered post-purchase.

Organizations should be following a risk management framework (RMF). For example, NIST’s Special Publication 800-37 discusses a Risk Management Framework. The NIST RMF includes a “monitoring” phase, which is important for ensuring ongoing reviews of your devices.  During this phase, organizations monitor the device, any controls related to the device, and the security disposition of the device. This allows an organization to be aware of new patches, updates, or informational releases for deployed devices. Monitoring can also take the form of regular reviews of vendor websites, forums, mail lists, device dashboards, and news updates.  The monitoring phase is extremely important regarding Barracuda’s ESG incident because their guidance changed from patch to replace for affected appliances.

Incident Response

According to the Barracuda investigation, threat actors were able to achieve malware-based backdoors on the ESG appliances. The investigation also discovered that a subset of infected appliances experienced data exfiltration of email data. If your organization were to experience a similar situation with a deployed network device, how would you respond?

In our experience, the difference between a chaotic response and a professional response is a developed and mature incident response plan (IRP). An organization experiencing such events should remain calm and work through the processes and procedures expressed within their IRP. The IRP should have specific roles defined for different types of incidents.  An IRP can contain actions ranging from “patching” to “erase and reinstall” to “must replace”.

Another aspect of a developed and matured IRP is a tabletop exercise (TTX).  A TTX is basically a meeting/conversation where an organization tests out their IRP. The TTX starts with a brief description of a fictitious event within the organization.  The organization must then describe its response, in real-time.  The TTX continues with additional events and/or descriptors, often called “data injects” and the organization provides additional responses guided by their IRP.

The TTX provides IRP practice for an organization.  During the TTX, conversations occur that help an organization realize the strengths as well as the weaknesses of its IRP. It’s best practice to conduct a TTX on a regular basis throughout the year, especially when new security scenarios are realized.

Schneider Downs can assist you with your RMF, IRP, and TTXs.  It doesn’t matter if your RMF, IRP, or TTXs are non-existent or mature, we can help.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our?Digital Forensics and Incident Response?teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe. 

To learn more, visit our dedicated Cybersecurity page.