Barracuda found a backdoor trigger in their patched systems 

When Barracuda released a patch on May 18th, it thought it had fixed their 0-day malware problem, but the hackers had other ideas. Some Barracuda users that replaced infected appliances, found the malware reappeared in the new devices. According to Mandiant researchers brought in to remove the malware, this was because:

“It was common practice for impacted victims to export their configuration from compromised appliances so it could be restored into a clean one. Therefore, if the DEPTHCHARGE (malware) trigger was present in the exported configuration, it would effectively enable UNC4841 to infect the clean device with the DEPTHCHARGE backdoor through this execution chain, and potentially maintain access even after complete replacement of the appliance.”

Previously, on May 18th, Barracuda had released a patch to remove UNC4841 from customers devices, but unbeknownst to Barracuda or the Mandiant researchers brought in to remove the malware, the attackers anticipated this action and responded by installing new malware families labeled SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE. “This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841’s determination in preserving access to specific victim environments.” This defensive move on the part of the attackers was only performed on a very limited number of high priority victims, estimated to be hundreds of devices.

Dave Ratner, CEO, HYAS had this to say:

   “Unfortunately, it is far too common for bad actors to leave hidden backdoors or otherwise initiate mechanisms to maintain their hold on a victim, even post cleanup. The only real way to ensure that incident response and system cleanup has been successful is monitoring the communication traffic leaving the organization — remaining backdoors or infections will continue to beacon out to adversary infrastructure, and with the right visibility this can alert you to their remaining footholds and allow you to truly cleanup after an attack.”

Carol Volk, EVP, BullWall follows with this:

   “Backing up infected files definitely happens. In incident response sessions, we always stress recreating infrastructure from the ground up (not using anything that existed previously) as the best practice for exactly this reason. Usual approaches to prevention cannot prevent this because attackers will always find a way in, so containment is critical.”

Clearly the playbook for dealing with threats to Barracuda hardware is to get a new appliance and set it up from scratch which shows you how crafty these threat actors are. Perhaps this should be in the playbook for any intrusion that you might be dealing with? Just a thought.

Leave a Reply

%d bloggers like this: