Menu Close

ACTION REQUIRED: (TLP: CLEAR) Barracuda Recommends Disconnecting Equipment Following Zero-Day Attack

Thanks David.

 

From: David E. W. Best <David@brooklyn.cuny.edu&gt;
Sent: Friday, June 9, 2023 1:02 PM
To: Robert Berlinger <robert.berlinger@CUNY.EDU&gt;
Subject: RE: ACTION REQUIRED: (TLP: CLEAR) Barracuda Recommends Disconnecting Equipment Following Zero-Day Attack

 

We are current with patches and Barracuda says that unless you see a notice in the GUI there is no action needed.

 

From: CUNY Information Security Announcements [mailto:CUNY-INFOSEC-ANNC@LISTSERV.CUNY.EDU] On Behalf Of Robert Berlinger
Sent: Friday, June 09, 2023 9:02 AM
To: CUNY-INFOSEC-ANNC@LISTSERV.CUNY.EDU
Subject: ACTION REQUIRED: (TLP: CLEAR) Barracuda Recommends Disconnecting Equipment Following Zero-Day Attack
Importance: High

 

CAUTION: This email is from outside BC, so examine it closely before opening attachments or clicking on links

 

[ For campuses that operate Barracuda – advise of status immediately if your campus has been affected and appliances must be replaced. – Robert ]

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).  

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG. 

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/

Summary: Following an identified zero-day vulnerability disclosure (CVE-2023-2868) and efforts to previously mitigate, Barracuda Networks sent an urgent notice this week telling customers to immediately decommission and replace all instances of the technology.  The company recently reported that users could successfully patch vulnerable Email Security Gateway (ESG) appliances, but in its posted update this week saying the hardware must be immediately replaced regardless of patch version level.

Cybersecurity firm Rapid7 posted on its blog (weblink below) that incident response teams continue to investigate the exploitation of ESG appliances dating back to at least November 2022.  Rapid7 further stated it identified malicious activity with the most recent communication with threat actor infrastructure observed in May 2023 and in at least one case, outbound network traffic indicated potential data exfiltration.

Rapid7 Blog: hxxps://www.rapid7[.]com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/

NYSIC CAU Analyst Note:  The Cybersecurity and Infrastructure Security Agency warned federal agencies and the public two weeks ago and NYSIC CAU issued a threat report on May 31, 2023 regarding this vulnerability.  Barracuda said it initially was alerted to anomalous traffic originating from ESG appliances on May 18 and hired security firm Mandiant to investigate the issue before CVE-2023-2868 was discovered.  Barracuda Networks advisory (weblink below) notes several strains of malware that have been used during the exploitation of the bug, including three labeled as Saltwater, SeaSpy and Seaside. They give hackers a backdoor into compromised systems and allow them to take a range of actions against victim networks.

Barracuda Networks Advisory: hxxps://www.barracuda[.]com/company/legal/esg-vulnerability

This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/

 


CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.