The Cybersecurity and Infrastructure Security Agency (CISA) has discovered a new backdoor, dubbed Submarine, while analyzing Barracuda Email Security Gateway (ESG) appliances belonging to federal agencies. The appliances had already been taken offline and replaced after being compromised by UNC4841, believed to be a Chinese state-sponsored threat group, in June 2023.
During the June compromise, UNC4841 exploited CVE-2023-2868 to drop novel malware strains called Saltwater and SeaSpy, in addition to a malicious tool called SeaSide, used to establish reverse shells. Despite Barracuda releasing a patch to address the vulnerability, the company couldn’t be sure that the patch nor re-imaging the appliance would completely eradicate the infection. As a result, Barracuda took the unusual step of offering to provide replacement appliances free of charge.
According to CISA’s analysis of the infected systems, Submarine is a new persistent backdoor in the Structured Query Language (SQL) database on the ESG appliance. It’s capable of executing with root privileges, establishing persistence, conducting command and control functions, and performing cleanup.
Barracuda issued a statement regarding the newly discovered malware, stating that it believed Submarine was deployed on a very limited number of previously compromised ESG appliances to establish persistence that would endure after the patch was installed. The company’s mitigation advice remains the same: affected customers should cease using compromised ESG appliances and contact the company for a free replacement.
Source: Bleeping Computer
Analysis
The quick deployment of a novel malware to maintain persistence to a victim’s ESG appliance even after being patched indicates that the information obtained from the victim was of high intelligence value and a high priority for the threat actor. Given that Submarine was found on appliances belonging to U.S. federal agencies, UNC4841 was likely able to obtain sensitive, or at least private, conversations and documents found in emails sent and received by employees in the compromised departments.
Barracuda’s unusual step of replacing affected appliances indicates that the company is taking no chances of allowing UNC4841 to maintain access via the previously compromised appliances.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in software such as Barracuda ESG. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that organizations review the advisory issued by Barracuda and follow the mitigation steps included therein.
References
