Barracuda Networks advised customers to replace vulnerable email gateway appliances following a critical security flaw.
As it battles a zero-day flaw exploited by hackers since October, the security, networking, and storage company is providing unusual guidance.
Hackers are using CVE-2023-2868, a critical vulnerability, to install “Saltwater” and “SeaSpy” malware on vulnerable Barracuda Email Security Gateway (ESG) appliances to exfiltrate sensitive corporate data. ESG products filter email for malicious content like firewalls.
Barracuda discovered the vulnerability on May 19 and patched “all ESG appliances worldwide” the next day. May 21 saw another update.
Barracuda added a “action notice” to its advisory this week, urging customers to replace ESG appliances affected by the vulnerability regardless of firmware version or patch level. Barracuda claims breached ESGs’ user interfaces notified affected customers.
Barracuda advised to contact support if you haven’t replaced your appliance after receiving notice. “Barracuda recommends replacing the affected ESG.”
Barracuda didn’t immediately answer question about replacing patched appliances. Barracuda, which claims over 200,000 corporate customers worldwide, has not confirmed how many organizations were affected.
Rapid7, a cybersecurity firm investigating the incident, tells that about 11,000 vulnerable ESG devices are still online worldwide.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” said Rapid7 security researcher Caitlin Condon.
Barracuda advises ESG customers to rotate credentials and check for compromises from October 2022 onward.
The U.S. cybersecurity agency CISA added the Barracuda bug to its Known Exploited Vulnerabilities Catalog late last month and advised federal agencies with ESG appliances to check their networks for breaches.