Barracuda: Replace Compromised ESGs Right Away
Barracuda Networks is now urging users to replace compromised Email Security Gateways (ESGs) rather than attempt to patch them. On May 18, Barracuda learned that a zero-day vulnerability in the devices was being exploited; they released patches several days later. Barracuda’s investigation of the issue revealed that it has been exploited since at least October 2022.
It is always recommended to rebuild systems involved in a compromise "from scratch," and to not just remove specific artifacts left behind by the attacker. But we hardly ever see a vendor's full support. I have not seen details about how Barracuda will replace the devices (easier if they are virtual), but applaud Barracuda. In particular for somewhat customized appliances, it can be difficult to conclusively assess what modifications were made by an attacker.
A long list of email security and web security gateways have been announcing discovering long resident zero days. Good idea to preemptively check patch status of ESGs and WSGs appliances in particular, and to prioritize threat hunting on those network segments.
Barracuda had previously said they were replacing affected appliances or virtual machines, which has likely generated a queue for physical hardware, so don't wait, get ahold of your sales rep (now) to not only get your request queued up, but also find out what your options are. Have your staff brush up on the replacement process, you don't want the replacement sitting on a shelf, or running in parallel or standby any longer than is absolutely needed. Consider recreating the configuration rather than exporting it from a potentially compromised device.
Well, this is the worst-case scenario. If someone has a Barracuda Email Security Gateway they want to send my way instead of sending it to the trash, I’m happy to have it. Will this keep Barracuda customers in their eco-system or move them to a cloud-based service? Hard to tell what the impact here is since many customers may be used to refreshing this hardware frequently.
It seems as though email security gateways have been a target of evil-doers over the last year. Even if you don’t use Barracuda appliances, I still recommend checking patch status for your chosen email security gateway. For Barracuda users, no time like the present to have that difficult customer service discussion with them… and update the appliance.