Barracuda Says Attacks On Compromised Email Security Customers Are ‘Ongoing’

The disclosure appears to shed light on the vendor’s recommendation that impacted customers should ‘immediately’ replace Email Security Gateway appliances.

Barracuda disclosed Friday that it believes 5 percent of active Email Security Gateway appliances were compromised by attackers, and that there is “ongoing malware activity” on some of those devices.

The disclosure appears to shed light on the cybersecurity vendor’s recommendation earlier this week that impacted customers should “immediately” replace ESG appliances affected by a recently revealed critical vulnerability.

[Related: Barracuda Email Gateway Breach: 5 Things To Know]

In a statement provided to CRN, Barracuda said that as of Thursday, “approximately 5 percent of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability.”

“Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances,” the company said in the statement. “Therefore, we would like customers to replace any compromised appliance with a new unaffected device.”

Barracuda said it will provide the replacement appliance at no cost to affected customers.

“If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise,” the company said. “If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time.”

In an update to its post about the breach Tuesday, Barracuda had urged replacement of impacted ESG appliances, but had not shared the reasoning for the recommendation or said whether the cost of the appliances would be covered by the company.

“Impacted ESG appliances must be immediately replaced regardless of patch version level,” Barracuda wrote in the post update, adding that its “remediation recommendation at this time is full replacement of the impacted ESG.”

Barracuda has said that the vulnerability was discovered May 19, and the company deployed a patch “to all ESG appliances worldwide” the following day. A second patch was deployed May 21 to all Email Security Gateway appliances.

The investigation so far has found that the vulnerability “resulted in unauthorized access to a subset of email gateway appliances.” Affected customers have been notified, Barracuda said.

Campbell, Calif.-based Barracuda initially disclosed the breach May 24. Further investigation—which has included assistance from incident response firm Mandiant—uncovered evidence that the vulnerability had been exploited as far back as October 2022, the company said in an updated disclosure June 1.

Barracuda’s Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.

The company’s investigation found that attackers deployed two types of malware, Saltwater and SeaSpy, in order to create a backdoor into impacted ESG appliances. The attackers also used a tool known as SeaSide for remotely issuing commands to the systems, according to Barracuda.

“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” wrote Caitlin Condon, a security researcher at Rapid7, in a blog post Thursday.