Barracuda Networks has told customers they must replace vulnerable email gateway appliances following the disclosure of a critical security flaw.
The technology company, which provides security, networking and storage products, is issuing the extraordinary guidance as it struggles to contain a zero-day flaw that hackers have exploited since October.
Hackers are abusing the critical-rated vulnerability, tracked as CVE-2023-2868, to install two types of malware, dubbed “Saltwater” and “SeaSpy,” which create a backdoor on vulnerable Barracuda Email Security Gateway (ESG) appliances that can be used to exfiltrate sensitive corporate data. ESG products are essentially firewalls for email, and are used for filtering inbound and outbound emails for potentially malicious content.
Barracuda said it first discovered the vulnerability on May 19 and deployed a patch “to all ESG appliances worldwide” the following day. Another update was deployed on May 21.
This week, however, Barracuda added an “action notice” to its advisory, urging all affected customers to replace ESG appliances impacted by the vulnerability, regardless of firmware version or patch level. According to Barracuda, affected customers have already been notified through breached ESGs’ user interface.
“If you have not replaced your appliance after receiving notice… contact support now,” Barracuda said. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
TechCrunch asked Barracuda why customers need to replace patched appliances but did not immediately receive a response. Barracuda, which claims to have more than 200,000 corporate customers globally, is also yet to confirm how many organizations have been impacted.
Cybersecurity firm Rapid7, which is investigating the incident, tells TechCrunch that there appear to be about 11,000 vulnerable ESG devices still connected to the internet worldwide.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” said Caitlin Condon, a security researcher at Rapid7.
In addition to replacing impacted devices, Barracuda is urging ESG customers to rotate any credentials connected to the appliances and to check for signs of compromise dating back to at least October 2022.
CISA, the U.S. government’s cybersecurity agency, added the Barracuda bug to its Known Exploited Vulnerabilities Catalog late last month and has urged federal agencies with ESG appliances to check their networks for evidence of breaches.