CISA says new malware often known as Submarine was used to backdoor Barracuda ESG (E mail Safety Gateway) home equipment on federal companies’ networks by exploiting a now-patched zero-day bug.
A suspected pro-China hacker group (UNC4841) deployed the backdoor in a collection of data-theft assaults detected in Might however lively since no less than October 2022.
Barracuda revealed that the attackers exploited the CVE-2023-2868 distant command injection zero-day to drop beforehand unknown malware dubbed Saltwater and SeaSpy and a malicious instrument known as SeaSide to determine reverse shells for straightforward distant entry.
Final month, Barracuda took an unconventional strategy and supplied substitute units to all affected prospects at no cost.
This determination got here after issuing a warning that each one compromised ESG (E mail Safety Gateway) home equipment wanted instant substitute as an alternative of merely re-imaging them with new firmware.
Mandiant Incident Response Supervisor John Palmisano instructed BleepingComputer on the time that this was advisable out of warning, as the corporate couldn’t guarantee the entire removing of malware.
Unknown backdoor discovered on hacked ESG home equipment
On Friday, CISA revealed that one other new malware pressure often known as Submarine—and in addition tracked by Mandiant as DepthCharge—was discovered on the compromised home equipment, a multi-component backdoor used for detection evasion, persistence, and information harvesting.
“SUBMARINE is a novel persistent backdoor that lives in a Structured Question Language (SQL) database on the ESG equipment. SUBMARINE includes a number of artifacts that, in a multi-step course of, allow execution with root privileges, persistence, command and management, and cleanup,” CISA stated in a malware evaluation report printed on Friday.
“Along with SUBMARINE, CISA obtained related Multipurpose Web Mail Extensions (MIME) attachment information from the sufferer. These information contained the contents of the compromised SQL database, which included delicate info.”
Within the wake of the assaults, Barracuda supplied steerage to affected prospects, advising them to completely evaluate their environments to confirm that the attackers had not compromised different units inside their networks.
This recommendation aligns with as we speak’s warning from CISA, which says that the “malware poses a extreme risk for lateral motion.”
Those that encounter suspicious actions linked to the Submarine malware and the Barracuda ESG assaults are urged to contact CISA’s 24/7 Operations Middle at Report@cisa.gov.
Barracuda says its companies and merchandise are utilized by over 200,000 organizations worldwide, together with high-profile ones comparable to Samsung, Delta Airways, Kraft Heinz, and Mitsubishi.
