The Cybersecurity and Infrastructure Security Agency (CISA) has identified a new malware strain, referred to as Submarine, in Barracuda ESG (Email Security Gateway) appliances. This malware was used to create a backdoor, exploiting a now-fixed zero-day vulnerability, CVE-2023-2868. The suspected threat actors behind this attack, a pro-China hacker group known as UNC4841, deployed this backdoor in a series of data-theft attacks detected in May, but believed to have been active since at least October 2022.
Barracuda disclosed that the attackers used the CVE-2023-2868 remote command injection zero-day to introduce previously unknown malware named Saltwater and SeaSpy, along with a malicious tool called SeaSide. These were used to establish reverse shells for easy remote access. In response to the attack, Barracuda took an unconventional step last month, offering replacement devices to all impacted customers free of charge. This followed a warning that all compromised ESG appliances required immediate replacement rather than just a firmware update.
Mandiant Incident Response Manager John Palmisano recommended this action out of caution, as the company could not guarantee the complete eradication of the malware. CISA later revealed that another new malware strain, Submarine, was discovered on the compromised appliances. This multi-component backdoor was used for detection evasion, persistence, and data harvesting.
CISA described SUBMARINE as a 'novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.' In addition to the Submarine malware, CISA also obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.
After the attacks, Barracuda provided guidance to its affected customers, urging them to thoroughly inspect their environments to ensure that no other devices within their networks were compromised. This advice is in line with CISA's recent warning that the malware poses a significant risk for lateral movement within networks. CISA urges anyone who encounters suspicious activities related to the Submarine malware and the Barracuda ESG attacks to contact their 24/7 Operations Center.
Barracuda's services and products are utilized by more than 200,000 organizations globally, including notable ones such as Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi.