New Malware “Submarine” Exploiting Zero-Day Vulnerability in Barracuda Email Security Gateway Appliances
IT security teams are facing a new and dangerous malware threat known as “Submarine.” This malware has been specifically designed to target a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances, leaving organizations susceptible to cyber attacks.
A China-based threat actor, UNC4841, has been behind a series of cyber attacks aimed at bypassing email security in targeted organizations. The attacks, believed to have started in October, form part of an ongoing cyber espionage campaign. Submarine is one of the four backdoors that researchers have identified being used in these attacks.
According to Austin Larsen, a senior incident response consultant with Mandiant, Submarine is unique among the backdoors in that it targets the root privileges of an SQL database specifically on Barracuda ESG appliances. UNC4841 has shown a special interest in “priority” victims, deploying additional malware like Submarine to maintain persistence even after remediation efforts have been taken.
The US Cybersecurity and Infrastructure Security Agency (CISA) has analyzed Submarine and described it as a novel and persistent threat. The malware consists of multiple artifacts that enable it to execute with root privileges, persistently stay within the system, establish command and control, and perform clean-up operations. CISA warned that Submarine poses a severe threat for lateral movement and urged affected organizations to implement their recommended actions to mitigate the risk.
Barracuda had initially disclosed and patched a remote command-injection vulnerability in the affected versions of their ESG appliances. However, it has become apparent that the threat actor has been able to maintain persistence even after the patches and containment measures were released by Barracuda. UNC4841 has the ability to quickly modify their malware in response to Barracuda’s mitigation efforts.
The severity and persistence of the attacks led Barracuda to take the unusual step of advising customers to replace their affected appliances instead of attempting further patching. Barracuda hired Mandiant, a subsidiary of Google, to investigate the attacks. Mandiant identified UNC4841 as a likely China-based APT actor and revealed an aggressive cyber espionage campaign targeting organizations across 16 countries in various sectors.
Mandiant observed the threat actor deploying three other backdoors, named “Saltwater,” “Seaspy,” and “Seaside,” after exploiting the initial vulnerability. These backdoors served different purposes like data theft, system monitoring, and executing malicious remote commands. Saltwater is a module containing backdoor functionality, Seaspy is the primary passive backdoor, and Seaside is a Lua-based module for the Barracuda SMTP daemon.
Following CISA’s discovery of Submarine, Barracuda updated its advisory on UNC4841 and confirmed that the malware appeared on a small subset of already compromised ESG devices. Barracuda recommends discontinuing the use of compromised appliances and contacting their support for a new ESG virtual or hardware appliance.
With the emergence of the Submarine malware and the ability of threat actors to persistently exploit vulnerabilities, IT security teams face an uphill battle in combating cyber threats. Organizations must remain vigilant, regularly update their security systems, and follow recommended mitigation strategies to minimize the risk of falling victim to cyber attacks.