The Australian Capital Territory Government is among an estimated 5% of Barracuda Networks’ Email Security Gateway customers who were told to rip-and-replace their appliance following a zero-day bug compromise.
Barracuda Networks initially disclosed the critical vulnerability (CVE-2023-2868) on May 19 and patched affected ESG appliances the following day, but last week the vendor warned those whose appliances had been compromised by the remote command injection vulnerability to immediately replace their affected appliances.
The government of the Australian Capital Territory (ACT) said in a statement it rebuilt its Barracuda system after detecting the vulnerability and determining it had been exploited by malicious hackers.
“The investigation has now identified that a breach has occurred and a harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed,” the statement said.
At a subsequent media briefing, the ACT Government’s Digital and Data Special Minister of State, Chris Steel, said there was a “strong likelihood” data had been stolen but “at this stage, we are not aware of any information that may have been accessed on any ACT Government systems being made available on the dark web”.
The ACT Government administers the Australian federal territory that is home to the nation’s capital city, Canberra, with a population of just under 500,000. Its ESG service was linked to several directorates, including the government’s main citizen-facing transaction portal, plus health and education services.
Personal data likely stolen
The vulnerability, with a CVSS base score of 9.4, was found in a module within the appliance used to screen attachments to incoming emails. In the ACT Government’s case, Steel said the exploit was likely to have impacted “a subset of automated emails related to government systems that have been impacted”. Those emails were sent as confirmation when citizens filled in webforms and contained some of the information they had supplied.
The ACT Government’s chief digital officer, Bettina Konti, told the media briefing it was not yet clear when threat actors gained access to the system. Cybersecurity firm Mandiant, hired by Barracuda to investigate the vulnerability, has found evidence it was exploited as far back as October 2022.
“We are some way through [the investigation], which is what made us think that there’s a likelihood here we may have had some personal information involved, but we need to be able to complete the harms assessment to be clear,” Konti said.
“If it is back as far as October, then that increases the amount of data we need to trawl through to try and understand what may have been accessed, whether anything has actually been taken.”
The exploit has so far not been attributed to a particular threat group and Steel said the ACT Government did not know who was responsible for the attack against its system.
“The threat actor themselves have not been in contact either with ourselves or, as far as we’re aware, Barracuda,” he said.
Plea to replace appliances ‘fairly stunning’
Barracuda said in an email statement that, as of June 8, approximately 5% of active ESG appliances worldwide had shown evidence of known indicators of compromise (IOCs) to the vulnerability.
“Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.”
Caitlin Condon, a vulnerability researcher with Rapid7, said in a blog post such a request by a vendor was surprising.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access.”
She advised Barracuda appliance operators to check back to at least October 2022 for signs of compromise using the network and endpoint indicators Barracuda has released along with YARA rules that could be applied to hunt for the malicious .tar (tape archive) files that exploited the vulnerability.
“Although sharing malware indicators like hashes and YARA hunting rules can be very useful, in this case they may not be as relevant unless teams have direct access to the operating system of the appliance or VMDK [Virtual Machine Disk] image,” Condon said.
“Network indicators like the IP addresses shared by Barracuda and also observed by Rapid services teams are a good start for reviewing network logs (e.g., firewall or IPS logs).”