The ACT Government is responding to a security breach after provider of email gateway systems, Barracuda Networks, reported a critical zero-day flaw in its appliances.
ACT government chief digital officer Bettina Konti revealed it was likely some personal information was involved in the incident – but confirmation is pending an undergoing harms assessment.
Network security vendor Barracuda, which supports a range of ACT Government ICT systems, issued a public vulnerability notification on 24 May to warn its customers of a vulnerability in its Email Security Gateway (ESG).
ESG devices are placed on the edge of a given organisation's network, and are designed to scan incoming and outgoing email for malware and malicious content before it reaches other systems.
Although Barracuda's vulnerability notification arrived late last month, the company discovered the earliest evidence of exploitation was way back in October 2022.
In a Thursday statement, ACT Special Minister of State Chris Steel said the ACT Cyber Security Centre started investigations and identified a breach had indeed occurred.
"As part of our routine cyber security measures, the ACT Cyber Security Centre discovered the public notification and investigated," said Steel.
"The investigation has now identified that a breach has occurred and a harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed."
Initially, Barracuda disclosed the flaw (labelled CVE-2023-2868) in a brief announcement stating the vulnerability existed "in a module which initially screens the attachments of incoming emails", and that it solely affected the company's ESG customers.
One week later, the company published an update with far greater detail – identifying the flaw as a remote command injection vulnerability found across Barracuda ESG versions 5.1.3.001 through 9.2.0.006.
This effectively enabled hackers to backdoor customers' ESG appliances via custom malware and steal sensitive data.
"Barracuda Networks’ priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks," said Barracuda.
"We will continue active monitoring of this situation, and we will be transparent in sharing details on what actions we are taking."
On 6 June, when advising its customers on how to address the vulnerability, the vendor urged hardware owners to physically remove and outright decommission affected appliances.
Zero-day vulnerabilities are typically addressed via patching – a process of developing and distributing software updates in order to mitigate a given security flaw or bug.
While Barracuda did release a global patch on 20 May to remediate the vulnerability, the company still advises to discontinue the use of compromised appliances – suggesting the issue may not be entirely remediable via current software fixes.
“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company’s advisory warned.
“Barracuda’s recommendation at this time is full replacement of the impacted ESG.”
As part of an investigation into the exploit, security solution provider Rapid7 estimates there are about 11,000 Barracuda ESG appliances on the internet.
In the case the ACT government, Steel said the ACT Cyber Security Centre already completed a "rebuild" of the impacted Barracuda system to "eliminate any ongoing vulnerability".
The statement went on to assure actions taken so far have "contained the breach" and that there is no ongoing threat.
"Canberrans can continue to use ACT Government online systems with confidence," said Steele.
Whether the ACT government has merely suffered a minor data compromise, or malicious threat actors have been exfiltrating emails for months, remains unknown to the public.
