Rewterz Threat Alert – Threat Actors Using SUBMARINE Backdoor In Attacks On Barracuda ESG Appliances – Active IOCs

Severity

High

Analysis Summary

The attacks involving the SUBMARINE Backdoor on Barracuda ESG appliances have raised significant concerns in the cybersecurity community. Exploiting the vulnerability (CVE-2023-2868) in the ESG module responsible for email attachment screening, threat actors gained unauthorized access to a subset of Barracuda ESG devices (affecting products Barracuda Email Security Gateway 5.1.3.001 and 9.2.0.006). The SUBMARINE Backdoor, a novel and persistent threat executed with root privileges, resides in an SQL database on the targeted ESG appliance. Comprising multiple artifacts, including a SQL trigger, shell scripts, and a Linux daemon library, the backdoor provides capabilities such as execution with root privileges, persistence, command and control (C2) communication, and cleanup functionalities.

Of particular concern is the potential for lateral movement within the network. Once deployed on a compromised ESG appliance, the SUBMARINE Backdoor enables unauthorized access to other systems, facilitating the attackers in their pursuit of additional targets and sensitive data.

The vulnerability used in these attacks initially started as a zero-day flaw, with Barracuda issuing a patch after discovering the breached ESG appliances. However, the attacks were already in progress, suggesting that the threat actors had been exploiting the vulnerability for several months before the patch was available.

Researchers conducted a thorough investigation, linking the attacks to UNC4841, a suspected threat actor with alleged ties to China. The campaign had a wide-ranging impact, spanning various regions and sectors, indicating its focus on espionage activities in support of the People’s Republic of China.

The attacks employed multiple malware families, including SALTWATER, a malware-laced module for the Barracuda SMTP daemon (bsmtpd), providing various capabilities such as uploading/downloading files, executing commands, and proxying malicious traffic. SEASPY, an x64 ELF persistent backdoor masquerading as a legitimate Barracuda Networks service, supported backdoor functionality activated by a “magic packet.” SEASIDE, a Lua module for bsmtpd, established a reverse shell through SMTP commands sent via the malware’s C2 server. Finally, SUBMARINE, residing in the SQL database of the compromised Barracuda ESG appliance, executed with root privileges.

As a precautionary measure, organizations using Barracuda ESG appliances should apply the necessary patches and implement robust security measures to safeguard against such attacks.

Impact

• Unauthorized Access
• Espionage and Data Theft

Indicators of Compromise

CVE

CVE-2023-2868

Domain Name

• goldenunder.com

IP

• 101.229.146.218
• 103.146.179.101
• 103.27.108.62
• 103.77.192.13
• 103.77.192.88
• 103.93.78.142
• 104.156.229.226
• 104.223.20.222
• 107.148.149.156
• 107.148.219.227
• 107.148.219.53

MD5

• 4ec4ceda84c580054f191caa09916c68
• 45b79949276c9cb9cf5dc72597dc1006
• 177add288b289d43236d2dba33e65956
• 35cf6faf442d325961935f660e2ab5a0
• 436587bad5e061a7e594f9971d89c468
• 85c5b6c408e4bdb87da6764a75008adf
• 19e373b13297de1783cecf856dc48eb0

SHA-256

• caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc
• 9bb7addd96f99a29658aca9800b66046823c5ef0755e29012983db6f06a999cf
• 8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347
• 56e8066bf83ff6fe0cec92aede90f6722260e0a3f169fc163ed88589bffd7451
• 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf
• 83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c
• ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca

SHA-1

• 6505513ca06db10b17f6d4792c30a53733309231
• 191e16b564c66b3db67f837e1dc5eac98ff9b9ef
• c637a9ce65083b21c834e7a68bd1bc51b412fa11
• 254b6bcbc5f60e30c596c263b8a4f393badbf1aa
• cf22082532d4d6387ea1c9bc4dc5b255aa7a0290
• 5ce46efc6b28bd94955138833dc97916957dbde1
• fda9dfa7b41a05c6ae32f71f2b31a5d56d7eca9b

Remediation

• Refer to Barracuda Web site for patch, upgrade or suggested workaround information.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Block all threat indicators at your respective controls.
• Implement robust monitoring to detect anomalies and potential threats.
• Educate employees to recognize and prevent common attack vectors.
• Limit user privileges and access to minimize risks.
• Isolate critical systems and data to contain breaches.
• Maintain secure backups to enable data restoration without ransom payment.
• Have a comprehensive plan in place to respond to security breaches.
• Engage in sharing threat information with trusted partners.
• Conduct regular assessments to identify and fix vulnerabilities.
• Enforce MFA for privileged accounts and critical systems.
• Deploy advanced endpoint security solutions to detect and block threats.