CISA: 'Submarine' Backdoor Torpedoes Barracuda Email Security

A China-nexus cyber-espionage campaign rages on with the fourth backdoor to surface in the wild that takes advantage of the CVE-2023-2868 zero-day security bug — with severe threat of lateral movement, CISA warns.

3 Min Read
The entrance sign at Barracuda Networks Headquarters
Source: Tada Images via Shutterstock

IT security teams may find themselves soon underwater, so to speak, thanks to dangerous new malware dubbed "Submarine" that is zeroing in a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) appliances.

A China-nexus threat actor tracked as UNC4841 has been dropping multiple payloads on vulnerable Barracuda appliances over the past several months in an attempt to get around email security at targeted organizations -- part of a seemingly unflagging cyber espionage campaign that likely stretches back to October. Submarine is one of four backdoors that researchers have observed being used in the cyberattacks so far.

Austin Larsen, senior incident response consultant with Mandiant, says Submarine (aka Depthcharge) is different and distinct from the other three backdoors in that it specifically obtains root privileges on an SQL database on Barracuda ESG appliances, and only on "priority" victims.

"Mandiant has identified Submarine on a subset of victims where Mandiant is engaged in incident response," he says. "UNC4841 has shown a special interest in a subset of priority victims. It is at these victims that additional malware such as [Submarine] is deployed to maintain persistence in response to remediation efforts."

CISA's Analysis of Submarine Malware

The US Cybersecurity and Infrastructure Security Agency (CISA) first flagged the surfacing of Submarine, describing the malware as novel and persistent.

"Submarine comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," they said in an advisory.

CISA analyzed a total of seven Submarine samples from one particular victim organization, along with related artifacts that showed the malware had obtained sensitive information from the compromised SQL database.

"This malware poses a severe threat for lateral movement," CISA warned. The agency urged organizations with affected devices to implement its list of recommended actions for mitigating the threat, available in the advisory.

Barracuda Appliance Remediation Not in the Cards

In May, Barracuda first disclosed — and quickly patched — a remote command-injection vulnerability, which exists in versions to of Barracuda ESG (CVE-2023-2868), in a module that, ironically enough, screens email attachments for malware and other potentially unwanted software.

However, it has become apparent since then that the threat actor has been able to maintain persistence on compromised Barracuda ESG systems even after the company released patches and containment measures —thanks to the attackers' ability to quickly tweak their malware in response to Barracuda's efforts to mitigate the threat. 

The attacks have been so virulent that Barracuda on June 8 took the highly unusual step of telling customers to rip and replace their appliances rather than attempting to further patch them.

An Aggressive Chinese Cyber Espionage Campaign

Barracuda hired Google's Mandiant group to investigate the attacks. Mandiant in June said it had identified UNC4841, a likely China-based advanced persistent threat (APT) actor, as the culprit behind an aggressive cyber espionage campaign targeting organizations in multiple sectors across 16 countries. 

Mandiant said it had observed the threat actor deploy a trio of backdoors — "Saltwater", "Seaspy," and "Seaside" — after exploiting CVE-2023-2868. The three backdoors packed a variety of functions for stealing data, monitoring affected systems, and receiving and executing a range of malicious remote commands.  

According to Mandiant's Larsen, Saltwater is a module for Barracuda's SMTP daemon that contains backdoor functionality; Seaspy is the primary passive backdoor that UNC4841 has used throughout the campaign; and Seaside is a Lua-based module for the Barracuda SMTP daemon.

Barracuda on Friday updated its advisory on UNC 4841 following CISA's discovery of the fourth backdoor. The company said it had analyzed Submarine in collaboration with Mandiant and found the malware appeared only on a "very small subset of already compromised ESG devices." 

"This additional malware was utilized by the threat actor in response to Barracuda's remediation actions in an attempt to create persistent access on customer ESG appliances," Barracuda said. "Barracuda's recommendation is unchanged. Customers should discontinue use of the compromised ESG appliance and contact Barracuda support to obtain a new ESG virtual or hardware appliance."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights