The intruders, most likely the Chinese government considering the targets and sophistication, did quite an amazing job.
They did a very clever thing. As they were undetected for quite some time, they embedded a persistent re-entry code. They slid some auto-executing malware into a configuration backup, so that when the sysadmins of a site backed up their Barracuda configuration in the event of a future restore, they backed up the code that hacked them! Then when it was reported that their email firewalls had been compromised, they wiped them out or replaced them, then restored their backups, thus - in some cases - reinfecting them!
It wasn't an across the board reinfection, since the intruders knew where they 'were', they were able to target the highest value targets to return to, and those were the ones they launched this scheme with.
As a retired system administrator and former Cisco certified geek, let me explain this a little more. I have experience configuring routers and firewalls, and whenever you configure one of these or make a change, you back up or export the configuration from the device to your network somewhere. This way, if that device crashes or resets hard or goes up in flames or is stolen, you've got a fallback point. And in this case, if you were at one of these high-value targets, you just backed up the malware package that restores the compromise. It's pretty easy to restore that config file and get your router or firewall back and running. The thing is, these configurations can get scary complicated, especially on a border router (the border between your internal network and the external internet). You don't want to have to recreate that from scratch. And while I've never worked with an email security device like a Barracuda, I can easily imagine its configuration is far from trivial. The smart thing to do would be to have a printout of the configuration and to be able to key it in manually or verify that your restore recreated what that hardcopy reads as, but I'll bet 99%+ of installations don't do that. The main reason being, that you'd have two people trying to double-check probably thousands of lines of code, making sure they line up. Assuming they can find the latest copy. Tireless, thankless, and possibly impossible task. And that device is down while they're doing it.
https://arstechnica.com/security/2023/08/barracuda-thought-it-drove-0-day-hackers-out-of-customers-networks-it-was-wrong/![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
