CISA says new malware generally known as Submarine was used to backdoor Barracuda ESG (Electronic mail Safety Gateway) home equipment on federal businesses’ networks by exploiting a now-patched zero-day bug.
A suspected pro-China hacker group (UNC4841) deployed the backdoor in a collection of data-theft assaults detected in Could however energetic since at the very least October 2022.
Barracuda revealed that the attackers exploited the CVE-2023-2868 distant command injection zero-day to drop beforehand unknown malware dubbed Saltwater and SeaSpy and a malicious device referred to as SeaSide to determine reverse shells for simple distant entry.
Final month, Barracuda took an unconventional method and supplied alternative units to all affected clients at no cost.
This resolution got here after issuing a warning that every one compromised ESG (Electronic mail Safety Gateway) home equipment wanted rapid alternative as a substitute of merely re-imaging them with new firmware.
Mandiant Incident Response Supervisor John Palmisano informed BleepingComputer on the time that this was advisable out of warning, as the corporate couldn’t guarantee the entire removing of malware.
Unknown backdoor discovered on hacked ESG home equipment
On Friday, CISA revealed that one other new malware pressure generally known as Submarine—and likewise tracked by Mandiant as DepthCharge—was discovered on the compromised home equipment, a multi-component backdoor used for detection evasion, persistence, and knowledge harvesting.
“SUBMARINE is a novel persistent backdoor that lives in a Structured Question Language (SQL) database on the ESG equipment. SUBMARINE contains a number of artifacts that, in a multi-step course of, allow execution with root privileges, persistence, command and management, and cleanup,” CISA mentioned in a malware evaluation report revealed on Friday.
“Along with SUBMARINE, CISA obtained related Multipurpose Web Mail Extensions (MIME) attachment information from the sufferer. These information contained the contents of the compromised SQL database, which included delicate data.”
Within the wake of the assaults, Barracuda offered steerage to affected clients, advising them to completely evaluate their environments to confirm that the attackers had not compromised different units inside their networks.
This recommendation aligns with right now’s warning from CISA, which says that the “malware poses a extreme risk for lateral motion.”
Those that encounter suspicious actions linked to the Submarine malware and the Barracuda ESG assaults are urged to contact CISA’s 24/7 Operations Middle at Report@cisa.gov.
Barracuda says its providers and merchandise are utilized by over 200,000 organizations worldwide, together with high-profile ones equivalent to Samsung, Delta Airways, Kraft Heinz, and Mitsubishi.
