Barracuda Urges Customers to Replace the Vulnerable ESG Appliances

Data protection and enterprise security company, Barracuda Networks urged customers affected by the zero-day vulnerability to immediately replace ESG hardware and virtual appliances.

In its June 1 advisory, Barracuda disclosed that the vulnerability was found in a module which initially scans incoming email attachments. Upon discovery, immediate security patches were issued, along with the deployment of a script to contain and counter the unauthorized access attacks.

However, in a sudden move, the company issued a replacement advisory. Reasons behind the announcement was not disclosed, it can be assumed that the malware’s effect on the now patched vulnerable devices is at a much deeper level.

‘’The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,’’ noted Rapid7 in its investigation of exploited physical ESG devices.

According to the company’s latest report, the flaw (CVE-2023-2868) which was present in its ESG versions 5.1.3.001-9.2.0.006 was being exploited as early as October 2022. This flaw allowed threat actors to access a subset of ESG appliances.

Different modules of the malware were found during investigation. Dubbed, Seaspy, Saltwater and Seaside, the trojans have the capability to create persistence (backdoor access), upload or download files, establish a reverse shell, and run commands.

‘’Evidence of data exfiltration was identified on a subset of impacted appliances,’’ noted the advisory.

The company is yet to confirm the actual number of affected customers as it is still continuing with the investigation. Meanwhile, to mitigate risks, Barracuda has announced full replacement of affected devices and urged customers to investigate their network environment and rotate ESG device credentials.