IT security teams may find themselves soon underwater, so to speak, thanks to dangerous new malware dubbed "Submarine" that is zeroing in a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) appliances.
A China-nexus threat actor tracked as UNC4841 has been dropping multiple payloads on vulnerable Barracuda appliances over the past several months in an attempt to get around email security at targeted organizations -- part of a seemingly unflagging cyber espionage campaign that likely stretches back to October. Submarine is one of four backdoors that researchers have observed being used in the cyberattacks so far.
Austin Larsen, senior incident response consultant with Mandiant, says Submarine (aka Depthcharge) is different and distinct from the other three backdoors in that it specifically obtains root privileges on an SQL database on Barracuda ESG appliances, and only on "priority" victims.
"Mandiant has identified Submarine on a subset of victims where Mandiant is engaged in incident response," he says. "UNC4841 has shown a special interest in a subset of priority victims. It is at these victims that additional malware such as [Submarine] is deployed to maintain persistence in response to remediation efforts."
CISA's Analysis of Submarine Malware
The US Cybersecurity and Infrastructure Security Agency (CISA) first flagged the surfacing of Submarine, describing the malware as novel and persistent.
"Submarine comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," they said in an advisory.
CISA analyzed a total of seven Submarine samples from one particular victim organization, along with related artifacts that showed the malware had obtained sensitive information from the compromised SQL database.
"This malware poses a severe threat for lateral movement," CISA warned. The agency urged organizations with affected devices to implement its list of recommended actions for mitigating the threat, available in the advisory.
Barracuda Appliance Remediation Not in the Cards
In May, Barracuda first disclosed — and quickly patched — a remote command-injection vulnerability, which exists in versions 5.1.3.011 to 9.2.0.006 of Barracuda ESG (CVE-2023-2868), in a module that, ironically enough, screens email attachments for malware and other potentially unwanted software.
However, it has become apparent since then that the threat actor has been able to maintain persistence on compromised Barracuda ESG systems even after the company released patches and containment measures —thanks to the attackers' ability to quickly tweak their malware in response to Barracuda's efforts to mitigate the threat.
The attacks have been so virulent that Barracuda on June 8 took the highly unusual step of telling customers to rip and replace their appliances rather than attempting to further patch them.
An Aggressive Chinese Cyber Espionage Campaign
Barracuda hired Google's Mandiant group to investigate the attacks. Mandiant in June said it had identified UNC4841, a likely China-based advanced persistent threat (APT) actor, as the culprit behind an aggressive cyber espionage campaign targeting organizations in multiple sectors across 16 countries.
Mandiant said it had observed the threat actor deploy a trio of backdoors — "Saltwater", "Seaspy," and "Seaside" — after exploiting CVE-2023-2868. The three backdoors packed a variety of functions for stealing data, monitoring affected systems, and receiving and executing a range of malicious remote commands.
According to Mandiant's Larsen, Saltwater is a module for Barracuda's SMTP daemon that contains backdoor functionality; Seaspy is the primary passive backdoor that UNC4841 has used throughout the campaign; and Seaside is a Lua-based module for the Barracuda SMTP daemon.
Barracuda on Friday updated its advisory on UNC 4841 following CISA's discovery of the fourth backdoor. The company said it had analyzed Submarine in collaboration with Mandiant and found the malware appeared only on a "very small subset of already compromised ESG devices."
"This additional malware was utilized by the threat actor in response to Barracuda's remediation actions in an attempt to create persistent access on customer ESG appliances," Barracuda said. "Barracuda's recommendation is unchanged. Customers should discontinue use of the compromised ESG appliance and contact Barracuda support to obtain a new ESG virtual or hardware appliance."