CISA: 'Whirlpool' Backdoor Sends Barracuda ESG Security Down the Drain

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued yet another alert related to the recent advanced persistent threat (APT) attacks targeting a command-injection vulnerability in Barracuda's Email Security Gateway (ESG) appliances.

The alert pertains to a backdoor dubbed "Whirlpool" that the group behind the attacks — China-based UNC4841 — has been deploying in an aggressive cyber espionage campaign that stretches back to at least last October. So far, the campaign has affected private and public sector organizations across multiple industries in as many as 16 countries.

Barracuda first reported on the attacks in May after receiving reports of unusual activity related to its ESG appliances. The company's investigation showed UNC4841 targeting a then zero-day vulnerability in versions 5.1.3.011 to 9.2.0.006 of Barracuda ESG appliances. The threat actor was essentially using the vulnerability — tracked as CVE-2023-2868 — to gain initial access on systems belonging to a small number of targeted Barracuda customers.

Barracuda quickly issued a patch for the vulnerability. But by early June the company began urging affected customers to urgently replace infected systems rather than patch them, after observing UNC4841 actors take several measures to maintain a long-term presence on compromised systems.

Meanwhile, the attacks rage on.

The Whirlpool Backdoor

CISA identified Whirlpool as a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the attacker's command-and-control (C2) server. Malicious traffic in these reverse shells can be hard to detect because the traffic is encrypted, and often blends in with normal HTTPS traffic.

Google's Mandiant security group first reported on Whirlpool in a June blog post, after Barracuda asked the company to investigate the ongoing ESG attacks.

The backdoor is one of several that UNC4841 has been using in its campaign. Mandiant's initial report listed three that the company discovered when investigating the Barracuda attacks: "Seaspray," "Seaside," and "Saltwater." Seaspray is the threat group's primary backdoor for the campaign, Saltwater is a module for Barracuda's SMTP daemon that contains backdoor functionality, and Seaside is a Lua-based module for the Barracuda SMTP daemon.

Austin Larsen, senior incident response consultant with Mandiant, says his company's analysis of the attacks showed UNC4841 actors are using Whirlpool alongside Seaspray and Seaside. "Whirlpool is a C-based utility," Larsen says. "[It] uses either a single CLI argument that is a given file path, or two arguments that are a given IP and port."

Unlike the other backdoors that UNC4841 has used so far in its campaign, Whirlpool is not a passive backdoor, Larsen says. The threat actor is using it instead to provide reverse shell capabilities for other malware families in its arsenal, such as Seaspray, he notes.

CISA also earlier in August flagged the use of the "Submarine" backdoor, which specifically obtains root privileges on an SQL database on Barracuda ESG appliances for a targeted subset of victims. The malware enables persistence, command-and-control, cleanup, and lateral movement on compromised networks, CISA warned. Mandiant, which helped CISA analyze the backdoor, described it as a manifestation of UNC4841's attempts to maintain persistent access on compromised systems after Barracuda issued a patch for CVE-2023-2868.