New persistent backdoor used in attacks on Barracuda ESG appliances
The Cybersecurity and Infrastructure Agency (CISA) has published an analysis report on the backdoors dropped by attackers exploiting CVE-2023-2868, a remote command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances.
Barracuda ESG zero-day exploit and backdoors
In late May, Barracuda warned that attackers have been exploiting the (then zero-day) vulnerability in Barracuda Networks’ ESG physical appliances.
As previously specified by Mandiant, the threat actors then set up a reverse shell backdoor on the appliances, which they used to download the SEASPY backdoor, along with additional malicious payloads (SALTWATER, SEASIDE).
“SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service. SEASPY monitors traffic from the actor’s C2 server,” noted the CISA advisory alert.
“When the right packet sequence is captured, it establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the threat actors to execute arbitrary commands on the ESG appliance.”
After initial attempts to address the vulnerability by releasing a patch or by urging customers to implement mitigations, Barracuda finally issued an urgent action notice advising them to replace their ESG appliances as soon as possible.
A new malware variant
CISA has identified a new malware type on the compromised ESG appliances, which has been dubbed SUBMARINE.
“SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance,” the Agency noted.
“SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup.”
The Agency says that this malware poses “a severe threat for lateral movement” and has provided indicators of compromise and YARA rules defenders can use to detect it, the other backdoors, and the exploit payload in their environments.