Barracuda Networks says hacked devices “must be immediately replaced” despite patches

A critical vulnerability in Barracuda Networks’ email security gateway (ESG) devices now means all devices must now be replaced.

The order came directly from the security company this week which said devices should be replaced regardless of whether the zero-day vulnerability was patched.

Barracuda updated its security advisory and also communicated the instruction to customers via the user interface of their ESG devices.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said. “Impacted ESG appliances must be immediately replaced regardless of patch version level.”

Barracuda has not offered any further description as to why the devices must be fully replaced, but it may be due to the malware installed after exploiting the vulnerability allowing for persistent backdoor access for attackers.

The firm, which has more than 200,000 customers globally, has been engaging affected clients since news of the vulnerability emerged in late May. 

Barracuda ESG vulnerability - what happened?

Last month, Barracuda said it detected “anomalous traffic” originating from its email security gateway appliances. A subsequent investigation identified a critical vulnerability exploit, tracked as CVE-2023-28681, in the appliance. 

Initially, the company issued a patch to remediate the vulnerability for all ESG appliances globally. A script was deployed to contain the incident and prevent unauthorized access methods, Barracuda said. 

However, last week the company revealed that further analysis of the incident found the vulnerability had been actively exploited for several months before it was discovered and patched. 

Barracuda said the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022”.

The vulnerability enabled threat actors to obtain “unauthorized access to a subset of ESG appliances”, it added. The company said that malware was identified on a subset of appliances, offering would-be attackers persistent backdoor access. 

Two particular malware strains were uncovered by Barracuda during its post-mortem analysis of the incident. 

The first was SALTWATER, a “trojanized module for the Barracuda SMTP daemon that contains backdoor functionality”. 

The second malware strain, known as SEASPY, was also identified. SEASPY also offered attackers backdoor functionality with persistence, while disguising itself as a legitimate Barracuda Networks service. 

No other Barracuda products, including its SaaS email security services, were affected by the vulnerability, Barracuda said. 

ITPro approached Barracuda Networks for comment on the latest update.