CISA Investigates Malware Deployed in Barracuda ESG Attacks

July 31, 2023

The US Cybersecurity and Infrastructure Security Agency (CISA) has disclosed analysis reports on three malware families used in an attack leveraging a remote command injection vulnerability in Barracuda Email Security Gateway (ESG). The vulnerability, tracked as CVE-2023-2868, impacts versions 5.1.3.001 to 9.2.0.006 of the appliance and was exploited as a zero-day beginning in October 2022. The company Barracuda patched the bug in May 2023.

The attack was conducted by the Chinese state-sponsored cyberespionage group UNC4841. The group exploited the vulnerability to infiltrate victim networks, execute a reverse shell, and download custom backdoors for persistence. The identified malware families include SeaSpy, SaltWater, SeaSide, SandBar, and trojanized versions of legitimate Barracuda Lua modules, SeaSpray and SkipJack. The attacks targeted victims in at least 16 different countries, primarily involving government officials and high-profile academics. Over half of the affected organizations are located in the Americas.

On Friday, CISA released malware analysis reports detailing an exploit payload and backdoor, the SeaSpy backdoor, and Submarine, a persistent backdoor executed with root privileges. These have been used in at least one attack that exploited the Barracuda appliance. CISA states that it has obtained 14 malware samples representing 'Barracuda exploit payloads and reverse shell backdoors'.

The payload, delivered via a phishing email with a malicious attachment, triggers the command injection (CVE-2023-2868) to deploy and execute a reverse shell that establishes command-and-control (C&C) communication via OpenSSL and fetches the SeaSpy backdoor. The SeaSpy backdoor, posing as a legitimate Barracuda service, monitors traffic from the C&C for a command to establish a TCP reverse shell that gives the attackers command execution capabilities.

Submarine, according to CISA, is a unique persistent backdoor 'that lives in a Structured Query Language (SQL) database on the ESG appliance', providing attackers with lateral movement capabilities. 'Submarine comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command-and-control, and cleanup,' the agency notes.

CISA's malware analysis reports also include indicators of compromise (IoCs) and YARA rules for detection in addition to technical information on the identified samples.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.