The FBI’s Cyber Division issued an advisory which “strongly advises” that organizations still using Barracuda Networks Email Security Gateway (ESG) appliances affected by an exploit of CVE-2023-2868 remove those appliances “immediately.” This advisory builds on the vendor’s own recommendations to replace its ESG appliances.

This is an extraordinary announcement as the vendor-provided patches have proven to be ineffective and nation-state actors continue to exploit this vulnerability as part of an ongoing cyber espionage campaign. The vulnerability allows the creation of backdoors to Barracuda ESG appliances. CISA analyzed the vulnerability and associated malware, identifying the backdoors as WHIRLPOOL, SUBMARINE, and SEASPY.

A Barracuda spokesperson provided the following statement:

Barracuda’s guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance. If a customer received the User Interface notification or has been contacted by a Barracuda Technical Support Representative, the customer should contact support@barracuda.com to replace the ESG appliance. Barracuda is providing the replacement product to impacted customers at no cost.

We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident.

Replace Your Barracuda ESG Appliances With Something (Anything) Else As Soon As Possible

While Barracuda’s perspective is that it has no reason to believe that an appliance has been compromised at this time, that doesn’t change the fact that for the second time in a few months, these devices actively put the clients they are supposed to protect at risk. Compounding the vulnerabilities themselves is the fact that design decisions and product security flaws (in a security product, no less) are forcing the replacement of some devices based on these campaigns or similar ones.

If your managed service provider (MSP) or managed security services provider (MSSP) is behind the reason you chose Barracuda ESGs, request an appliance swap immediately or switch providers to one that recognizes that cybersecurity is a priority in their service delivery.

While you’re swapping out technologies, just go ahead and …

Move Your Email Filtering To The Cloud While You’re At It

Email security appliances have existed for over 20 years. Around the same time, the first email filtering services — like MessageLabs (acquired by Symantec/Broadcom), Mimecast, MX Logic (acquired by McAfee/Trellix), and Postini (acquired by Google) — came online. Enterprises adopted email security appliances to filter spam and malware-laden emails, preferring to self-manage instead of choosing a services approach to email security.

This approach made sense when email infrastructure was largely hosted on-premises and enterprises managed their own Exchange environments. Early cloud email filtering was not as feature-rich and did not offer the flexibility delivered by secure email gateway (SEG) appliances, so enterprises were slow to adopt these services.

Cloud-delivered email filtering, however, has come a long way since the early days. Filtering email before it impacted networks became the preferred approach to email security. When self-hosted Exchange environments moved to the cloud — as Hosted Exchange or Microsoft 365 — the appliance-based SEG became a less attractive deployment model.

If you weren’t already convinced that moving your email security to the cloud was a better approach, these exploits should convince you. Changing SEG appliances is time consuming and leaves your organization at risk.

Benefits of cloud-delivered email security over SEG appliances include:

  • Faster updates. As a software-as-a-service (SaaS) offering, software updates and patches are delivered automatically, preventing appliances from falling behind.
  • Vendor management. Customers can update and make changes to their instance of a cloud email security service, but the management and administration of the environment itself is offloaded to the vendor.
  • Simpler architecture. If you’ve already moved your email environment to the cloud (Exchange Online, Google Workspace, or Microsoft 365), cloud-delivered email security, whether delivered by the infrastructure vendor or a third party, is much cleaner than routing email through a SEG appliance and on to the email host. BTW, if you’re still hosting your own Exchange environment (which is subject to its own vulnerabilities and issues, especially on older versions), this is also the time to move your email infrastructure to the cloud.
  • Scalability. Cloud providers can expand services to meet demand, unlike appliances that require additional hardware or instances to scale.
  • No hardware. By definition, SEG appliances are built on vendor-provided or customer hardware. Hardware wears out and will eventually reach end of support or end of life, thereby requiring replacement. With cloud-delivered email security, there is no hardware for customers to worry about or replace.

Forrester’s report, The Enterprise Email Security Landscape, Q1 2023, provides an overview of email security vendors and several appliance alternative deployment models for email security. The Forrester Wave™: Enterprise Email Security, Q2 2023 delivers an evaluation of the 15 most significant email security vendors, including Barracuda’s cloud-based email protection offering. Read more about the Wave in this blog by Jess Burn. Use these reports to help choose your next email security solution.

Make sure to question your prospective cloud email security vendor about its product security practices. Just because it’s on the cloud doesn’t make it more secure, as demonstrated by recently exploited vulnerabilities in Microsoft email services. However, cloud providers are well aware of the security implications of what they do. Remediation and mitigation in the cloud are also far easier than hardware replacements, which is the root of what caused the ESG replacement problem in the first place.