CISA Discovers New Submarine Malware in Hacked Barracuda ESG Appliances
July 28, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) has identified a new malware strain, referred to as Submarine, in Barracuda ESG (Email Security Gateway) appliances. This malware was used to create a backdoor, exploiting a now-fixed zero-day vulnerability, CVE-2023-2868. The suspected threat actors behind this attack, a pro-China hacker group known as UNC4841, deployed this backdoor in a series of data-theft attacks detected in May, but believed to have been active since at least October 2022.
Barracuda disclosed that the attackers used the CVE-2023-2868 remote command injection zero-day to introduce previously unknown malware named Saltwater and SeaSpy, along with a malicious tool called SeaSide. These were used to establish reverse shells for easy remote access. In response to the attack, Barracuda took an unconventional step last month, offering replacement devices to all impacted customers free of charge. This followed a warning that all compromised ESG appliances required immediate replacement rather than just a firmware update.
Mandiant Incident Response Manager John Palmisano recommended this action out of caution, as the company could not guarantee the complete eradication of the malware. CISA later revealed that another new malware strain, Submarine, was discovered on the compromised appliances. This multi-component backdoor was used for detection evasion, persistence, and data harvesting.
CISA described SUBMARINE as a 'novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.' In addition to the Submarine malware, CISA also obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.
After the attacks, Barracuda provided guidance to its affected customers, urging them to thoroughly inspect their environments to ensure that no other devices within their networks were compromised. This advice is in line with CISA's recent warning that the malware poses a significant risk for lateral movement within networks. CISA urges anyone who encounters suspicious activities related to the Submarine malware and the Barracuda ESG attacks to contact their 24/7 Operations Center.
Barracuda's services and products are utilized by more than 200,000 organizations globally, including notable ones such as Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi.
Related News
- Chinese UNC4841 Group Targets Barracuda Email Security Gateway Zero-Day Vulnerability
- Barracuda Urges Immediate Replacement of Hacked ESG Appliances
- Zero-Day Vulnerability in Barracuda Exploited for Months to Deploy Malware and Steal Data
- Barracuda ESG Appliances Breached Through Zero-Day Vulnerability
Latest News
- First Exploitation of Citrix ShareFile RCE Vulnerability Detected
- Zimbra Addresses Zero-Day Vulnerability Exploited in XSS Attacks
- US Government Contractor Maximus Suffers Massive Data Breach Affecting Millions
- Two Privilege Escalation Vulnerabilities Discovered in Linux Ubuntu, Impacting 40% of Users
- SEC Implements New Rule for Cybersecurity Incident Disclosure
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.