Cloud cybersecurity firm Barracuda Networks Inc. is telling customers to replace their vulnerable Email Security Gateway appliances immediately, even if they have installed all available patches.

In a dramatic measure announced on June 6, the company told customers that it begin assisting with replacing ESG appliances irrespective of their patch status in order to combat the current malware compromise the company detected in May.

“If you have not replaced your appliance after receiving notice in your UI, contact support now,” the company wrote in an advisory. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

On May 18, the company said it hired the cybersecurity company Mandiant after it detected anomalous traffic on its networks from its Email Security Gateway devices, known as ESG appliances.

These devices are designed to sit at the edge of an organization’s network and scan all incoming and outgoing email traffic for malware. A first and last line of defense against potential harm via email, they can also be a potential entry point for attackers as they are an interface to the internet. These devices can be deployed as physical hardware or virtual appliances, or in a public cloud environment such as AWS or Microsoft Azure.

The next day, Barracuda identified a previously unknown exploit it identified as CVE-2023-2868, which was a remote command injection vulnerability. The company said that it believed that it had been exploited since October 2022.

On May 20, the company recommended that customers immediately update their ESGs and issued a patch to handle the vulnerability for appliances worldwide. The next day a script was also deployed to all impacted servers to help deal with the incident.

However, these efforts appear to have been for naught as the attackers left behind malware on the affected systems that have continued to wreak havoc that has continued extensive compromise of impacted systems.

“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” said Caitlin Condon, a researcher at cybersecurity firm Rapid7.

The malware left behind after exploiting the vulnerability is a trojanized module of the Barracuda Simple Mail Transfer Protocol daemon dubbed “SALTWATER” that contains a backdoor functionality. It includes the ability to upload or download files, execute commands and can allow attackers to tunnel into the network through the exploited ESG appliance.

“The vulnerability existed in a module which initially screens the attachments of incoming emails,” Barracuda said in the advisory. “No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.”

In addition to discontinuing the use of and replacing affected ESG appliances, Barracuda recommended that customers immediately rotate the credentials of any devices or services connected to the devices on the network. Since the exploit has persisted since October, a thorough review of network logs could also reveal any potential intrusion.

The company said that it contacted users it knew to be affected by the exploit via the ESG user interface of the needed actions to take and also reached out to specific customers. The investigation is still ongoing and additional customers may be notified.

Image: Pixabay