CISA says new malware known as Submarine was used to backdoor Barracuda ESG (Email Security Gateway) appliances by exploiting a now-patched zero-day bug.
A suspected pro-China hacker group (UNC4841) deployed the backdoor in a series of data-theft attacks detected in May but active since at least October 2022.
Barracuda revealed that the attackers exploited the CVE-2023-2868 remote command injection zero-day to drop previously unknown malware dubbed Saltwater and SeaSpy and a malicious tool called SeaSide to establish reverse shells for easy remote access.
Last month, Barracuda took an unconventional approach and offered replacement devices to all affected customers at no charge.
This decision came after issuing a warning that all compromised ESG (Email Security Gateway) appliances needed immediate replacement instead of merely re-imaging them with new firmware.
Mandiant Incident Response Manager John Palmisano told BleepingComputer at the time that this was recommended out of caution, as the company could not ensure the complete removal of malware.
Unknown backdoor found on hacked ESG appliances
On Friday, CISA revealed that another new malware strain known as Submarine was found on the compromised appliances, a multi-component backdoor used for detection evasion, persistence, and data harvesting.
“SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup,” CISA said in a malware analysis report published on Friday.
“In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.”
In the wake of the attacks, Barracuda provided guidance to affected customers, advising them to thoroughly review their environments to verify that the attackers had not compromised other devices within their networks.
This advice aligns with today’s warning from CISA, which says that the “malware poses a severe threat for lateral movement.”
Those who encounter suspicious activities linked to the Submarine malware and the Barracuda ESG attacks are urged to contact CISA’s 24/7 Operations Center at Report@cisa.gov.
Barracuda says its services and products are used by over 200,000 organizations worldwide, including high-profile ones such as Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi.