Barracuda ESG Replacement

As more details of the Barracuda ESG 0 day compromise emerge from both Barracuda and Mandiant, it starts to make sense why Mandiant would recommended a complete replacement of all existing devices.

It appears that upon detection, the attackers managed to quickly deploy SANDBAR, which is a kernel rootkit to hide processes with certain names. This demonstrates the capability of the attacker and with slightly more time, they will definitely be able to enhance the rootkit to not only hide traces of their activity but also make it seem that the appliance has been patched to an unaffected version. Hence, the only surefire way is to physically replace all devices.

These are some possible enhancements that the attackers could possibly do to make the appliance look like it has been patched.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
    # attacker will likely simulate traffic, extract/run the required files for masquerading and just update the version number
    function perform_update(new_version_num)
        curl https://vendor.com/product?ver=new_version_num > /hidden_dir/updated_img
        unsquashfs("/hidden_dir/updated_img"); cp update_daemon /hidden_dir/update_daemon_ori
        /hidden_dir/update_daemon_ori; cat /proc/{pid}/mem > /hidden_dir/update_daemon_memdump; kill -9 {pid}
        sleep(30)
        set_version_num(new_version_num)
        return "Update completed"

    # if forensics were to take a hash/copy the update daemon file, return the contents of the original clean file
    # if forensics were to dump the memory of the running update daemon process, return a pre-dumped copy
    # everything in linux is a file :)
    function open(pathname)
        if pathname == "/bin/update_daemon":
            pathname = "/hidden_dir/update_daemon_ori"
        if pathname == "/proc/{pid}/mem":
            pathname = "/hidden_dir/update_daemon_memdump"

Once a device has been compromised to such a level, we will not be able to trust the output from any tools running on that system. We will need to do chip-off forensics; desolder the NAND flash chip, mount it onto a reader and read directly from the flash chip. This is a very intrusive process and may not work if there is disk encryption. It would thus make sense to recommend a complete replacement of all existing devices.



Tags: Server

Similar Articles

Running your own home server - Just wanted to share my experience of running my own server at home. Before anyone conjures up a thought of large server rack with cooling equipment and thousands of dollars of investment. Let me ...
macvlan host guest connectivity - There are a number of sites out there mentioning that macvlan has a limitation when used with docker or lxc containers. The host machine will not be able to communicate with the guest machine and ...
Problems with FTP - 1) No copy feature. There is no way to duplicate the file the file on the server for backup, testing or any other purposes. You have to download the file and upload it to another location, which ...
cloudflare - Finally decided to try out cloudflare to see if my site would load faster. I had already created an account ages ago but was hesitant due a a few reasons. 1) Changing DNS will affect my MX ...