The US Cybersecurity and Infrastructure Security Agency (CISA) released technical details and Indicators of Compromise related to three different malware families deployed by hackers on compromised Barracuda Email Security Gateway (ESG) appliances.
First disclosed in May 2023, the attacks exploited a then zero-day vulnerability (CVE-2023-2868) to install malware on the hacked servers. The flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system.
The vulnerability was identified on May 19 and a security patch to address the bug was applied to all ESG appliances worldwide on May 20, 2023. An investigation found evidence indicating that CVE-2023-2868 had been exploited since October 2022. An analysis showed that the attack involved three trojanized modules dubbed “Saltwater,” “SeaSpy,” and “Seaside.”
Now, CISA has published details on yet another malware found on hacked devices, which it calls “Submarine.”
CISA describes Submarine as a “novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance.” The malware comprises multiple artifacts - including a SQL trigger, shell scripts, and a loaded library for a Linux daemon - that together enable execution with root privileges, persistence, command and control, and cleanup.
Google-owned threat intel firm Mandiant linked the Barracuda attacks to a suspected Chinese cyber-espionage group it tracks as UNC4841. The company said the campaign had impacted organizations across the public and private sectors worldwide, with almost a third being government agencies.