October 3, 2023

The U.S. CISA has alerted on a malware variant, tracked as SUBMARINE Backdoor, that was employed in attacks exploiting the flaw CVE-2023-2868 in Barracuda Email Security Gateway appliances.

The vulnerability CVE-2023-2868 resides in the module for email attachment screening. Threat actors exploited the flaw to obtain unauthorized access to a subset of ESG appliances and also used for lateral movement.

As a novel persistent backdoor, it has been executed with root privileges that live in a SQL database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon that together to enable execution with root privileges, persistence, command and control, and cleanup.

Advertisements

Ealier in May 2023, Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.

In mid-June, Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.

The flaw has been exploited with incidents dating back to October 2022, at the very least. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances, allowing for persistent backdoor access.

 The set of families of malware employed in the attacks are:

  • SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
  • SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
  • SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.

Indicators of Compromise

  • 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0
  • 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab
  • 8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239
  • b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43
  • cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a
  • 2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5
  • bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a
Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: