Barracuda Networks is urging organizations with Email Security Gateway appliances impacted by a remote command injection bug in the devices to replace them, even if they were patched.

The company’s recommendation comes after Barracuda was first alerted to anomalous traffic coming from Email Security Gateway (ESG) appliances on May 18, which prompted the company to begin an investigation with the help of cybersecurity firm Mandiant.

This week, Barracuda updated its notice, urging customers with impacted ESG appliances to replace them regardless of their patch version level.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company says in its advisory.

According to the advisory, Barracuda identified a remote command injection vulnerability in their ESG appliance one day after discovering the “anomalous traffic” and engaging Mandiant. A patch was released a day after that on May 20, but the patch is apparently not enough to prevent compromise of the affected devices.

The company is also releasing a “series of security patches” to all appliances.

Exploitation for 10 months

Alarmingly, Barracuda and other cybersecurity firms say exploitation of these ESG appliances has been discovered to date back to fall 2022, specifically October 2022.

According to Barracuda, the vulnerability existed in a module which initially screens attachments of incoming emails. The bug has been leveraged to obtain unauthorized access to a subset of ESG appliances, and malware was identified on a subset of appliances to give attackers a backdoor.

Evidence of data exfiltration was also identified, the company says.

The company notified users with impacted appliances to take action, but “additional customers may be identified in the course of the investigation,” the firm says.

About the vulnerability and malware

According to Barracuda, the vulnerability, CVE-2023-2868, stems from “incomplete input validation of user supplied .tar files as it pertains to the names of files contained within the archive.”

This allows a remote attacker to format file names in a particular manner that would result in “remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the company says.

Barracuda also identified three malware strains that make the backdoor possible.

Recommendations

Barracuda is recommending that organizations with ESG appliances ensure that the devices are receiving and applying updates and security patches, but the company is of course also recommending that organizations discontinue the use of compromised ESG appliances and contact the company’s support to obtain a new ESG virtual or hardware appliances.

In addition, organizations should rotate any applicable credentials connected to the ESG appliance, including:

• Any connected LDAP/AD
• Barracuda Cloud Control
• FTP Server
• SMB
• Any private TLS certificates

Organizations should also review their network logs for any of the indicators of compromise listed in Barracuda’s advisory. They should contact compliance@barracuda.com if any are identified, the firm says.

Barracuda’s official statement

The company’s official statement reads as such:

The latest information related to the Barracuda’s Email Security Gateway (ESG) vulnerability and incident has been published on Barracuda’s Trust Center (https://www.barracuda.com/company/legal). The product CVE is published here: https://nvd.nist.gov/vuln/detail/CVE-2023-2868. 

An ESG product vulnerability allowed a threat actor to gain access to and install malware on a small subset of ESG appliances. On May 20, 2023, Barracuda deployed a patch to ESG appliances to remediate the vulnerability. 

Not all ESG appliances were compromised, and no other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability.

As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability. Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.

We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident.  

Barracuda’s guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance. If a customer received the User Interface notification or has been contacted by a Barracuda Technical Support Representative, the customer should contact support@barracuda.com to replace the ESG appliance. Barracuda is providing the replacement product to impacted customer at no cost. 

If you have questions on the vulnerability or incident, please contact compliance@barracuda.com. Please note that our investigation is ongoing, and we are only sharing verified information. 

Barracuda has engaged and continues to work closely with Mandiant, leading global cyber security experts, in this ongoing investigation. 

We will provide updates as we have more information to share.

The post Barracuda: Replace Compromised ESG Appliances Immediately appeared first on My TechDecisions.

According to the Campbell, Calif. cloud-first security company, its single-vendor SASE service is designed to help businesses and managed service providers (MSPs) strengthen their security posture and reduce costs. The company says Barracuda SecureEdge secures users, sites and IoT devices, and can connect any device, application and cloud or hybrid environment.

According to Barracuda, its SASE solution–delivered as a service–includes multi-layered network protection for consistent policy enforcement for both remote and in-office users, delivered from the cloud, on-prem or hybrid environments.

In addition, the solution offers protection against web-based threats regardless of user location, and secure remote access for any user to any application. SecureEdge also facilitates optimized cloud and application access from any user or site by providing Secure SD-WAN capabilities.

The solution also facilitates direct access to applications for remote users by leveraging Zero Trust enforcement, URL filtering, and traffic optimization to make the most of shared internet lines, the company says.

Specifically, Barracuda says SecureEdge provides control and visibility tools that give business and MSPs insight into user-generated traffic at each endpoint, allowing them to maintain control over critical application traffic.

Barravcuda’s new SASE service also features intent-based networking policies that are applied across the entire platform, including SD-WAN and secure application access, and multiple levels of security and connectivity with auto-secure SD-WAN are included over all available uplinks.

In addition, Barracuda SecureEdge includes built-in last-mile optimization using advanced forward error correction algorithms to mitigate packet loss and optimize network traffic, which are applied when connecting office locations and endpoints.

“Barracuda’s new SecureEdge platform provides businesses and MSPs with a SaaS solution that makes remote and hybrid work easier to secure and helps to improve security and reduce costs,” said Tim Jefferson, senior vice president of engineering for data, network and application security at Barracuda, in a statement. “With SecureEdge, Barracuda offers a cloud-native SASE platform that enables customers to control access to data from any device, anytime, anywhere, and allows security inspection and policy enforcement in the cloud, at the branch, or on the device.”

The post Barracuda Launches New SASE Platform for Businesses, MSPs appeared first on My TechDecisions.

According to Barracuda Networks, 77% of organizations with cyber insurance were hit by a successful ransomware attack in 2022, while just 65% of organizations without cyber insurance suffered the same fate.

The Campbell, Calif.-based firm’s 2023 Ransomware Insights report suggests that cybercriminals are more likely to target organizations with cyber insurance because insurers are typically willing to cover all or part of the ransom demand to speed up recovery.

However, Barracuda Networks’ report also shows that companies with cyber insurance were more likely to pay the ransom to get their data back, as 39% of organizations with cyber insurance paid the ransom compared to just 22% of organizations without cyber insurance.

In addition, organizations with cyber insurance were 70% more likely to be hit by two or more ransomware attacks.

According to the report, 63% of the global organizations surveyed for the report have cyber insurance, suggesting that ransomware actors continue to get paid and fund their activities.

Other findings in the report suggest that organizations hit with ransomware more than once were more likely to pay the ransom demand, as 42% of those hit three times or more paid the ransom to restore encrypted data. Meanwhile, 31% of victims of a single ransomware attack paid to restore their data.

As far as industries most targeted, Barracuda Networks’ research found that organizations in the energy, oil/gas and utility sector see an above-average success rate of ransomware attacks at 85%. This is due to the disruption that ransomware attacks can cause, as well as the size of the payout.

The company’s previous research into ransomware attacks showed that infrastructure-related cyberattacks have quadrupled. In addition, the sector is also the most likely to be affected by multiple attacks, with 53% reporting two or more successful ransomware incidents.

Other high targets of ransomware cited in the report include financial services and healthcare, but those sectors are less likely to be hit with multiple attacks.

Phishing emails are still the main delivery method leveraged by ransomware actors, with phishing accounting for 69% of attacks, followed by web applications and traffic. The research also found that 27% of the organizations surveyed feel they are not fully prepared to deal with a ransomware attack, suggesting that organizations are still behind when it comes to training and awareness.

The post Ransomware Actors May Be Targeting Organizations With Cyber Insurance appeared first on My TechDecisions.