New Submarine malware found on hacked Barracuda ESG appliances

The attackers exploited a now-patched zero-day vulnerability, known as CVE-2023-2868, which allowed them to gain unauthorized access to the Barracuda ESG appliances. Once inside, the hackers dropped multiple malware components, including Saltwater, SeaSpy, and a malicious tool called SeaSide, creating reverse shells for easy remote access. However, the situation took a more alarming turn when researchers discovered the existence of Submarine backdoor malware. This novel backdoor is designed to evade detection, establish persistence, and harvest data from the compromised ESG appliances. It resides in a Structured Query Language (SQL) database on the appliance and involves a multi-step process to execute commands with root privileges, maintain persistence, and establish command and control. The severity of the threat prompted Barracuda to take swift action. Last month, the company adopted an unconventional approach by offering replacement devices at no charge to all affected customers. This decision was made after Barracuda warned that merely re-imaging the compromised ESG appliances with new firmware might not guarantee the complete removal of the malware.

Subsequently, in the wake of these attacks, it is strongly advised to the customers to thoroughly review their environments and verify that the hackers had not compromised other devices within their networks. The attackers responded to Barracuda's remediation actions by deploying the Submarine malware to maintain persistent access on customer ESG appliances. It's crucial for organizations to act swiftly and discontinue the use of any compromised ESG appliance.

Threat Profile:

References:

The following reports contain further technical details:

https://www.bleepingcomputer.com/news/security/cisa-new-submarine-malware-found-on-hacked-barracuda-esg-appliances/