Barracuda Urges Swift Replacement of Vulnerable ESG Appliances
Enterprise-grade security solution provider Barracuda has urged customers to replace Email Security Gateway (ESG) regardless of patch version level.
This follows attacks observed targeting a now-patched zero-day vulnerability. The flaw (tracked CVE-2023-2868) was exploited as early as October 2022 and patched remotely back on May 20, 2023. The attackers’ access to the compromised appliances was reportedly cut off one day later by deploying a dedicated script.
According to Barracuda’s original advisory, published on June 1, the vulnerability that was discovered exists within a module responsible for screening email attachments. This was updated on June 6 to encourage the replacement of the ESG.
Read more on email-focused attacks: Microsoft Warns of Increase in Business Email Compromise Attacks
The firm determined that the flaw was exploited to gain unauthorized access to a specific subset of ESG appliances. Malware was then found on a portion of these appliances, allowing for persistent backdoor access. Evidence of data exfiltration has also been discovered on some affected devices.
Incident response teams from security firm Rapid7 are also investigating the ESG exploitation bug and have published a blog post on the findings on Thursday.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” reads the Rapid7 advisory.
According to insights shared by John Bambenek, principal threat hunter at Netenrich, customers dealing with virtual appliances will have an easier time. In such cases, the solution is relatively simple—provisioning and configuring a new virtual appliance and removing the old one.
“Those using hardware appliances will have a difficult road ahead of them as they need to get a new device to replace it with,” Bambenek added.
The Barracuda updates on CVE-2023-2868 come a few months after Quarks Lab revealed that two previously discovered TPM 2.0 library vulnerabilities could have affected billions of Internet of Things (IoT) devices.