CISA: New Submarine Malware Found on Hacked Barracuda ESG Appliances

Cyber Security Threat Summary:
In May, Network and email security firm Barracuda disclosed that a recently patched remote command injection zero-day vulnerability had been exploited since October 2022 to gain access to a subset of its Email Security Gateway appliances. The flaw tracked as CVE-2023-2868, was further exploited to deploy previously unknown malware dubbed Saltwater and SeaSpy as well as a malicious tool called SeaSide to establish reverse shells for easy remote access. In light of the attacks, Barracuda offered replacement devices to all affected customers at no charge.

“This decision came after issuing a warning that all compromised ESG (Email Security Gateway) appliances needed immediate replacement instead of merely re-imaging them with new firmware. Mandiant Incident Response Manager John Palmisano told BleepingComputer at the time that this was recommended out of caution, as the company could not ensure the complete removal of malware” (Bleeping Computer, 2023).

Last Friday, CISA released a malware analysis report, further disclosing details of a new malware dubbed Submarine that was also found on the compromised appliances. According to CISA, “Submarine is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. It further “comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”

The discovery of Submarines was made possible after the agency received several malware samples from an unnamed organization that had been compromised in the attacks against ESG appliances. Based on the evidence gathered so far, the attackers behind the activity are suspected to be a China nexus actor which Mandiant is tracking as UNC4841.

“In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information, stated the agency.

Security Officer Comments:
Following CISA’s publication, Barracuda released a notice regarding the new malware that was uncovered. According to Barracuda, Submarine was deployed by the threat actors in response to the company’s remediation actions in an attempt to further create persistent access on customer ESG appliances. However, the malware was only observed on a very small number of already compromised ESG appliances. Impacted customers have been advised to discontinue the use of these compromised ESG appliances and contact the company to obtain a new ESG virtual or hardware appliance.

Suggested Correction(s):
CISA has released IOCs and YARA rules which can be used for detection purposes:

In addition, Mandiant published a detailed technical write up which includes some hardening recommendations to assist organizations:

  • Review email logs to identify the initial point of exposure.
  • Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise.
  • Revoke and reissue all certificates that were on the ESG at the time of compromise.
  • Monitor the entire environment for the use of credentials that were on the ESG at time of compromise.
  • Monitor the entire environment for use of certificates that were on the ESG at time of compromise.
  • Review network logs for signs of data exfiltration and lateral movement.
  • Capture a forensic image of the appliance and conduct a forensic analysis.
    • Physical appliance models can be imaged following standard procedures. Most models have two (2) hot-swappable drives in a RAID1 configuration.
    • The provided YARA rules can be applied to appliance images to assist forensic investigators.