The attacks involving the SUBMARINE Backdoor on Barracuda ESG appliances have raised significant concerns in the cybersecurity community. Exploiting the vulnerability (CVE-2023-2868) in the ESG module responsible for email attachment screening, threat actors gained unauthorized access to a subset of Barracuda ESG devices (affecting products Barracuda Email Security Gateway 5.1.3.001 and 9.2.0.006). The SUBMARINE Backdoor, a novel and persistent threat executed with root privileges, resides in an SQL database on the targeted ESG appliance. Comprising multiple artifacts, including a SQL trigger, shell scripts, and a Linux daemon library, the backdoor provides capabilities such as execution with root privileges, persistence, command and control (C2) communication, and cleanup functionalities.
Of particular concern is the potential for lateral movement within the network. Once deployed on a compromised ESG appliance, the SUBMARINE Backdoor enables unauthorized access to other systems, facilitating the attackers in their pursuit of additional targets and sensitive data.
The vulnerability used in these attacks initially started as a zero-day flaw, with Barracuda issuing a patch after discovering the breached ESG appliances. However, the attacks were already in progress, suggesting that the threat actors had been exploiting the vulnerability for several months before the patch was available.
Researchers conducted a thorough investigation, linking the attacks to UNC4841, a suspected threat actor with alleged ties to China. The campaign had a wide-ranging impact, spanning various regions and sectors, indicating its focus on espionage activities in support of the People’s Republic of China.
The attacks employed multiple malware families, including SALTWATER, a malware-laced module for the Barracuda SMTP daemon (bsmtpd), providing various capabilities such as uploading/downloading files, executing commands, and proxying malicious traffic. SEASPY, an x64 ELF persistent backdoor masquerading as a legitimate Barracuda Networks service, supported backdoor functionality activated by a “magic packet.” SEASIDE, a Lua module for bsmtpd, established a reverse shell through SMTP commands sent via the malware’s C2 server. Finally, SUBMARINE, residing in the SQL database of the compromised Barracuda ESG appliance, executed with root privileges.
As a precautionary measure, organizations using Barracuda ESG appliances should apply the necessary patches and implement robust security measures to safeguard against such attacks.