The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert on a malware variant, tracked as SUBMARINE Backdoor, that was employed in attacks exploiting the flaw CVE-2023-2868 in Barracuda Email Security Gateway (ESG) appliances.
The vulnerability CVE-2023-2868 resides in the module for email attachment screening, threat actors exploited the flaw to obtain unauthorized access to a subset of ESG appliances.
“SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup.” reads the alert. “CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database.”
CISA warns that the backdoor can be used by attackers for lateral movement.
At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
In Mid-June, Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.
“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” reads the report published by Mandiant. “Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.
As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.
The families of malware employed in the attacks are:
SUBMARINE resides in a Structured Query Language (SQL) database on the Barracuda ESG appliance, it is executed with root privileges.
CISA’s Malware Analysis Report (MAR) includes technical details about the backdoor, including Indicators of Compromise (IoCs) and Yara Rule for its detection.
(SecurityAffairs – hacking, Barracuda ESG)