Patching, wiping ESG devices not enough to deny threat actor access following compromise, Barracuda says.