The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a backdoor known as “Whirlpool,” which has been deployed by a China-based threat group called UNC4841. The backdoor is being used in a widespread cyber espionage campaign targeting organizations across multiple industries in 16 countries. This campaign has been ongoing since at least October of last year.
The attacks initially came to light when Barracuda, a cybersecurity company, reported unusual activity related to its Email Security Gateway (ESG) appliances. Barracuda’s investigation revealed that UNC4841 was targeting a zero-day vulnerability, known as CVE-2023-2868, in specific versions of its ESG appliances. This vulnerability allowed the threat group to gain initial access to systems belonging to a small number of targeted Barracuda customers.
In response, Barracuda promptly released a patch for the vulnerability. However, by June, the company advised affected customers to urgently replace infected systems instead of just patching them. This recommendation came after observing UNC4841 taking measures to maintain a long-term presence on compromised systems.
CISA has now identified Whirlpool as the backdoor being used by UNC4841. It establishes a Transport Layer Security (TLS) reverse shell to the attacker’s command-and-control (C2) server. The use of encrypted traffic and blending in with normal HTTPS traffic makes it difficult to detect this malicious activity.
Whirlpool is one of several backdoors employed by UNC4841 in their campaign. Other backdoors include Seaspray, Seaside, and Saltwater. Mandiant, a security group under Google, provided this information in a blog post after investigating the Barracuda attacks.
Austin Larsen, a senior incident response consultant at Mandiant, states that UNC4841 is using Whirlpool alongside Seaspray and Seaside. Whirlpool, unlike the other backdoors, acts as a C-based utility that provides reverse shell capabilities for other malware families such as Seaspray.
In addition to Whirlpool, CISA has also flagged the use of another backdoor known as “Submarine.” This backdoor specifically targets SQL databases on Barracuda ESG appliances. It enables the threat group to maintain persistence, establish command-and-control, carry out cleanup operations, and move laterally within compromised networks.
These escalating attacks highlight the persistence and determination of UNC4841 in its cyber espionage campaign. It also underscores the importance of promptly patching vulnerabilities and taking proactive measures to ensure network security.
As the cyber threat landscape continues to evolve, organizations must remain vigilant and stay updated on the latest security alerts and recommendations from trusted sources such as CISA. By prioritizing cybersecurity and implementing effective defense strategies, businesses can reduce their risk of falling victim to advanced persistent threats like the one conducted by UNC4841.