Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Barracuda recommends ‘full replacement’ of compromised email security gateway hardware

The email security company behind the hardware that enabled a data breach affecting the ACT government has recommended that all such hardware be immediately removed.

user icon David Hollingworth
Fri, 09 Jun 2023
Barracuda recommends ‘full replacement’ of compromised email security gateway hardware
expand image

Barracuda updated its mitigation advice after revealing that its Email Security Gateway (ESG) hardware was likely compromised as far back as October 2022.

“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now,” Barracuda’s new Action Notice read.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

============
============

Previously, Barracuda had supplied a patch to mitigate the exploitation.

The company has reported the affected devices — versions 5.1.3.001-9.2.0.006 of the Barracuda Email Security Gateway appliance — were infected with Saltwater, a trojanised version of Barracuda’s own SMTP daemon, as well as the SeaSpy persistence backdoor, and SeaSide to monitor command and control traffic.

Taken together, the malware gives a threat actor a backdoor into affected networks, allowing them to run commands and upload or download files at will.

While no other victims of the exploited hardware have come forward, security company Rapid7 reported that there are around 11,000 affected devices currently in operation and that it has observed traffic between the gateways and threat actor infrastructure as recently as May 2023.

“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” Rapid7 researchers said in a blog post.

Sumit Bansal of BlueVoyant believes we're just going to see more and more of such supply chain exploits.

“Supply chain breaches like this are becoming more common. According to a recent survey of c-level executives in APAC, 97% say their organisation has been negatively impacted by a breach in their supply chain," Bansal told us via email. "To help prevent breaches, organisations should first make sure they know which third parties they use or have used in the past, and what data and network access they may have. Managing your own network is a challenge in and of itself, and adding on the complexity of additional third parties providing services brings yet another layer on top of that. This should be ongoing and continuous and not merely a yearly compliance check.

"A supply chain defence platform can scan and detect all the suppliers, business partners, subsidiaries of organisations that have vulnerable systems which need to be patched before threat actors can exploit the systems. They can also alert and help remediate on an organisation’s behalf."

The ACT government is still investigating the extent of the data breach affecting its own networks.

“We do believe there is a likelihood that some information could have been accessed through the vulnerability,” said Chris Steel, Digital and Data Special Minister of State for the ACT, during a press conference on 8 June. “The type of information, though, that we’re talking about is likely to come from a subset of automated emails related to government systems that have been impacted.”

“It’s now for us as the ACT government, not a question of if this will happen but when, and we’ve been preparing now over many years to try and harden our cyber security measures.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.