CISA details backdoor malware used in Barracuda ESG attacks

CISA on Friday detailed three types of malware the agency tracked in attacks against Barracuda Email Security Gateway customers vulnerable to zero-day flaw CVE-2023-2868.

CVE-2023-2868 is a critical remote command injection vulnerability Barracuda first discovered in its Email Security Gateway (ESG) product on May 19 before releasing initial patches on May 20 and 21. At the time, the flaw was known to be under attack, but Barracuda said only said a "small subset" of devices were affected. New details emerged over the following weeks -- particularly in a mid-June blog post from Google Cloud's Mandiant -- that dramatically expanded the scope of the attack.

Mandiant said attacks on ESG devices were part of a "wide-ranging campaign in support of the People's Republic of China," and the incident response firm (which Barracuda hired to investigate) attributed the attacks to a Chinese nation-state actor it dubbed "UNC4841." Other details that emerged during the initial weeks include the revelation that exploitation had been ongoing since at least October 2022 as well as Barracuda advising customers to replace their appliances immediately because initial patches were insufficient.

CISA published an alert Friday containing technical analyses of three malware variants associated with exploitation of CVE-2023-2868.

The cyber agency described the initial payload as malware that exploits CVE-2023-2868 and executes a reverse shell backdoor on a vulnerable ESG appliance. The payload is delivered via a phishing email with a malicious attachment. The shell communicates with the threat actors command and control (C2) server, where it downloads the second malware, the "Seaspy" backdoor.

Seaspy is a "persistent and passive backdoor that masquerades as a legitimate Barracuda service."

"SEASPY monitors traffic from the actor's C2 server," the CISA alert read. "When the right packet sequence is captured, it establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the threat actors to execute arbitrary commands on the ESG appliance." Seaspy had previously been disclosed as part of Mandiant's June blog.

The third, "Submarine," was disclosed for the first time as part of CISA's advisory. It is a "novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance."

"SUBMARINE comprises multiple artifacts -- including a SQL trigger, shell scripts, and a loaded library for a Linux daemon -- that together enable execution with root privileges, persistence, command and control, and cleanup," CISA said. "CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement."

All three analyses include YARA rules and indicators of compromise.

Barracuda published an update to its dedicated CVE-2023-2868 page stating Submarine had appeared "on a very small number of already compromised ESG appliances" and that Barracuda's recommendation to replace compromised ESG appliances remains unchanged.

A Barracuda spokesperson shared the following statement with TechTarget Editorial.

Barracuda, in conjunction with Mandiant and our government partners, [has] continued to investigate the ESG incident and associated malware. In our further investigation, we have identified an additional malware which was installed on a very small number of appliances and which compromised the configuration file. We are working directly with our customers to ensure that they are aware and, in the small number of cases where this is required, rebuild their configuration file to remediate their ESG.

Alexander Culafi is a writer, journalist and podcaster based in Boston.