The Cybersecurity and Infrastructure Security Agency (CISA) has provided details on three types of malware that have been used in attacks against Barracuda Email Security Gateway customers. These attacks have exploited a zero-day flaw known as CVE-2023-2868, which was first discovered by Barracuda on May 19. Initial patches were released by Barracuda on May 20 and 21, but it was later revealed that the vulnerability was under active attack and that a larger number of devices were affected.
The attacks on Barracuda Email Security Gateway devices have been attributed to a Chinese nation-state actor known as UNC4841. Mandiant, a cybersecurity incident response firm hired by Barracuda to investigate the attacks, stated that the campaign was in support of the People’s Republic of China. The attack had been ongoing since at least October 2022, and Barracuda advised its customers to replace their appliances immediately as the initial patches were not sufficient to mitigate the vulnerability.
In response to these attacks, CISA has released an alert that contains technical analyses of the three malware variants associated with the exploitation of CVE-2023-2868. The first malware, delivered through a phishing email with a malicious attachment, exploits the vulnerability and executes a reverse shell backdoor on a vulnerable Barracuda Email Security Gateway appliance. This shell then communicates with the threat actor’s command and control server, which downloads the second malware variant known as “Seaspy.” Seaspy is a persistent and passive backdoor that disguises itself as a legitimate Barracuda service.
The third malware variant, known as “Submarine,” was disclosed for the first time in CISA’s advisory. Submarine is a novel persistent backdoor that resides in a Structured Query Language (SQL) database on the compromised Barracuda Email Security Gateway appliance. It executes with root privileges and poses a severe threat for lateral movement within the compromised network.
CISA’s alert includes YARA rules and indicators of compromise for all three malware variants. These tools can help organizations detect and mitigate potential attacks against their Barracuda Email Security Gateway appliances.
In response to the new information revealed in CISA’s advisory, Barracuda has updated its dedicated page for CVE-2023-2868. They state that the Submarine malware has only been found on a small number of already compromised devices. Barracuda continues to recommend that customers replace compromised appliances to fully remediate the vulnerability.
Barracuda, along with Mandiant and government partners, is actively investigating the ESG incident and associated malware. They have identified an additional malware variant that was installed on a very limited number of devices and compromised the configuration file. Barracuda is working directly with affected customers to ensure they are aware of the situation and, if necessary, helping them rebuild their configuration files to address the compromise.
In conclusion, the attacks targeting Barracuda Email Security Gateway devices have revealed the presence of multiple malware variants that are exploiting the CVE-2023-2868 vulnerability. The scope of the attacks and the involvement of a Chinese nation-state actor have raised concerns about the security of these devices and the potential impact on compromised networks. Organizations using Barracuda Email Security Gateway appliances should closely follow the guidance provided by Barracuda, CISA, and other security experts to protect their networks from these ongoing threats.