{"id":92478,"date":"2023-06-09T08:15:00","date_gmt":"2023-06-09T08:15:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=92478"},"modified":"2023-06-09T08:15:00","modified_gmt":"2023-06-09T08:15:00","slug":"barracuda-esg-users-told-to-throw-away-their-hardware","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92478","title":{"rendered":"Barracuda ESG users told to throw away their hardware"},"content":{"rendered":"
<\/div>\n

Organisations operating Barracuda Networks\u2019<\/a> Email Security Gateway (ESG) appliances vulnerable to a bug tracked as CVE-2023-2868<\/a> to throw away their hardware, regardless of whether or not they have patched it, and seek a replacement.<\/p>\n

Barracuda made a patch available on 20 May having been alerted to dodgy traffic emanating from compromised ESG appliances on 18 May, but it now appears that the patch has proved insufficient.<\/p>\n

\u201cImpacted ESG appliances must be immediately replaced regardless of patch-version level,\u201d the organisation said in a statement.<\/p>\n

\u201cIf you have not replaced your appliance after receiving notice in your UI, contact support now<\/a>. Barracuda\u2019s remediation recommendation at this time is full replacement of the impacted ESG,\u201d it said.<\/p>\n

First identified and disclosed in May 2023, CVE-2023-2868 is a remote command injection vulnerability present in versions 5.1.3.001 to 9.2.0.006 of physical ESG appliances. It enables an attacker to achieve remote code execution (RCE) with elevated privileges, and the supplier\u2019s investigation has found it has been actively exploited since October 2022<\/a>.<\/p>\n

Aided by Google Cloud\u2019s Mandiant<\/a>, Barracuda\u2019s investigation determined that the vulnerability was used to obtain unauthorised access to a subset of ESG boxes, onto which two backdoor malwares dubbed Saltwater and Seaspy were placed, followed by a module called Seaside that monitored incoming traffic and established a reverse shell.<\/p>\n

The vulnerability proved sufficiently serious for the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities<\/a> (KEV) catalogue, which mandates patching across the US government.<\/p>\n

\u201cThe pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn\u2019t eradicate attacker access,\u201d said Caitlin Condon, senior manager of vulnerability research at Rapid7<\/a>.<\/p>\n

Condon said<\/a> that there may be as many as 11,000 ESG devices exposed to the public internet, and revealed that Rapid7\u2019s teams had identified significant volumes of malicious activity on a timescale consistent with Barracuda\u2019s assessment \u2013 the most recent communication with threat actor infrastructure was observed in May 2023.<\/p>\n

She added that in some cases, Rapid7 had observed potential data exfiltration from compromised networks, but that the team had not yet observed any lateral movement taking place from a compromised appliance.<\/p>\n

Besides taking the vulnerable devices offline, users are also advised to rotate any credentials that may have been connected to it, including any connected Lightweight Directory Access Protocol\/Active Directory, Barracuda Cloud Control, file transfer protocol (FTP) server, server message block (SMB) protocols, and private transport layer security (TLS) certificates.<\/p>\n","protected":false},"excerpt":{"rendered":"

Organisations operating Barracuda Networks\u2019 Email Security Gateway (ESG) appliances vulnerable to a bug tracked as CVE-2023-2868 to throw away their hardware, regardless of whether or not they have patched it, and seek a replacement. Barracuda made a patch available on 20 May having been alerted to dodgy traffic emanating from compromised ESG appliances on 18 […]<\/p>\n","protected":false},"author":1,"featured_media":92479,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-92478","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92478"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92478\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92479"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}