Barracuda ESG Replacement

As more details of the Barracuda ESG 0 day compromise emerge from both Barracuda and Mandiant, it starts to make sense why Mandiant would recommended a complete replacement of all existing devices.

It appears that upon detection, the attackers managed to quickly deploy SANDBAR, which is a kernel rootkit to hide processes with certain names. This demonstrates the capability of the attacker and with slightly more time, they will definitely be able to enhance the rootkit to not only hide traces of their activity but also make it seem that the appliance has been patched to an unaffected version. Hence, the only surefire way is to physically replace all devices.

These are some possible enhancements that the attackers could possibly do to make the appliance look like it has been patched.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
    # attacker will likely simulate traffic, extract/run the required files for masquerading and just update the version number
    function perform_update(new_version_num)
        curl https://vendor.com/product?ver=new_version_num > /hidden_dir/updated_img
        unsquashfs("/hidden_dir/updated_img"); cp update_daemon /hidden_dir/update_daemon_ori
        /hidden_dir/update_daemon_ori; cat /proc/{pid}/mem > /hidden_dir/update_daemon_memdump; kill -9 {pid}
        sleep(30)
        set_version_num(new_version_num)
        return "Update completed"

    # if forensics were to take a hash/copy the update daemon file, return the contents of the original clean file
    # if forensics were to dump the memory of the running update daemon process, return a pre-dumped copy
    # everything in linux is a file :)
    function open(pathname)
        if pathname == "/bin/update_daemon":
            pathname = "/hidden_dir/update_daemon_ori"
        if pathname == "/proc/{pid}/mem":
            pathname = "/hidden_dir/update_daemon_memdump"

Once a device has been compromised to such a level, we will not be able to trust the output from any tools running on that system. We will need to do chip-off forensics; desolder the NAND flash chip, mount it onto a reader and read directly from the flash chip. This is a very intrusive process and may not work if there is disk encryption. It would thus make sense to recommend a complete replacement of all existing devices.



Tags: Server

Similar Articles

happy monthiversary - After more than half a year of tweaking + trial and error, I think I have finally pinpointed the cause of my server crashes. Nope, nothing to do with kernel stability, nothing to do with crond or ...
Software Versioning - I have recently started managing yet another server. The server is running Ubuntu 14.04 LTS and therefore support is good for another 5 years. Just to be safe, I double checked the openssl ...
Server cluster for $500 - Already have one, seven more needed. Just joking. Looks real nice with all the LEDs and stackable case.Cable management will be a nightmare though. 8 ARM CPUs, 16 cores clocked at 1.4Ghz. ...
Running HTTPS, SSH and VPN on port 443 - A port can only be bound to one service at a time, which makes perfect sense since the OS cannot possibly know which application to route the packet to. However, protocols often have distinct ...