Cyber Security Blog

Barracuda Email Security Gateway Attack

Written by Aditi Uberoi | 12 September 2023

When a product, that has the word 'Security' in its name, becomes the target of a zero-day attack which ends up compromising several other businesses, it is certainly an event to be studied and learn from. Hence, we created this timeline that covers everything that happened in the Barracuda Email Security Gateway Appliances Attack.  

We have created this educational timeline that covers the cyber incident as it unfolded in a chronological order. In this timeline, we’ve categorised the data as: The Incident, the Impact it had on the business and its many customers, and the actions taken by Barracuda and the government. 

Quick reading guide:

The vision behind creating these  Cyber Attack Timelines is not to turn the spotlight on the victim. Our endeavour is to merely collate all the information available in the public domain to create easy-to-consume educational collateral that can enhance awareness in the cybersecurity community. The objective, always, it to try and learn lessons from others' experiences and underline the importance of effective cyber incident response.  

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

About the Barracuda ESG Appliances Attack 

On May 19, 2023, Barracuda announced that it identified a vulnerability in its Email Security Gateway (ESG) Appliances. The vulnerability tracked as CVE-2023-2868 was exploited by malicious actors causing some ESG appliances to be compromised.  

Barracuda did patch the vulnerability and also deployed a second patch by May 21, 2023 but by then several customers had been affected. By the end of the month, however, the company announced that the vulnerability had actually been exploited since October 2022 and the attackers possibly had illicit access to a subset of ESG appliances. 

The shocker for the cybersecurity community came when on June 6, Barracuda published an action notice. This notice urged affected customers to "rip out" vulnerable hardware as just fixing them with patches wasn't going to work anymore. At this time, there were about 11,000 ESG Appliances on the internet. 

The latest update on Barracuda's blog says, "Barracuda is providing the replacement product to impacted customers at no cost. No other Barracuda product, including Barracuda’s SaaS email solutions, were impacted by this vulnerability." 

Barracuda Attack Timeline

In keeping with our organisational mission of consistently raising awareness about global cyber resilience, we have attempted to capture everything that went down in the Barracuda Zero-Day Attacks. Without trying to vilify anyone, the idea here is to highlight the importance of third-party security. These timelines are also meant to encourage all those reading it to learn from others' experiences and take a critical look at their own readiness against attacks of this nature.  

For businesses that need help, there is always options like our Virtual Cyber Assistant services. In a very cost-effective and flexible format, you get access to our highly experienced cybersecurity consultants  who can help you enhance your overall cybersecurity maturity and assess your third-party security. 

It is important to note that this timeline has been created on the basis of information that's available freely on the internet and in media reports. 

Read the Barracuda Attack Timeline.

 

Lessons Learned from the Barracuda ESG Appliances Attack 

Barracuda discovered the flaw in its email security gateway on May 19 this year and released patches on  May 20 and 2, 2023. It has been agile in its communication with affected customers through the ESG interfaces and has been posting regular updates on its website. 

The company also partnered closely with Mandiant and its government partners to investigate the depth and the extent of the malware. Mandiant linked the attack to suspected Chinese-nexus actors and recently published a report, identifying three backdoors which have allowed the threat actors to maintain persistent access.  

The lesson here is that everyone, even organisations providing security products to the likes of Samsung and Delta Airlines, can and will be targetted. The only way to ensure that your business is able to cope with the stress of an attack is to consistently practise good cybersecurity hygiene and prioritise cyber incident response. Regular cybersecurity drills, a solid incident response plan, effective ransomware response checklists are all steps you can work towards beginning today to bolster your cyber resilience. 

Cyber Management Alliance also offers a specialised Incident Response Retainer Service which allows you to call upon our cybersecurity experts in a crisis situation. They help you detect, contain and recover from cyber-attacks and ensure that the damage is mitigated as far as possible. 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.