Advanced Backdoor Attack “SUBMARINE” Uncovered in Barracuda Email Security Gateway (ESG) Appliances

Hackers used a sophisticated backdoor called “SUBMARINE” in recent attacks against Barracuda Email Security Gateway (ESG) appliances, the US Cybersecurity and Infrastructure Security Agency (CISA) revealed on Friday.

Also known as DEPTHCHARGE, the backdoor consists of several components, including a SQL trigger, shell scripts, and a Linux daemon-laden library that work together to provide unauthorized access with root privileges, persistence, command and control capabilities, as well as cleanup functions.

The backdoor was discovered by analyzing malware samples from an undisclosed organization that fell victim to threat actors exploiting a critical vulnerability in ESG devices, CVE-2023-2868. This vulnerability allows remote command injection.

🔍 @CISAgov released malware analysis reports on #Barracuda backdoors. Threat actors exploited CVE-2023-2868 on an #FCEB network prior to rapid detection and remediation. See more, including #IOCs and #YARArules at https://t.co/xeldyc4XGT #Cybersecurity pic.twitter.com/2hGLH6WCKY

— CISA Cyber (@CISACyber) July 28, 2023

The attackers, suspected to be linked to China and tracked by Mandiant as UNC4841, exploited this zero-day vulnerability in October 2022 to gain initial access to their targets. They then deployed backdoors to ensure continued access and control.

The attack chain involved sending phishing emails containing malicious TAR file attachments to trigger the exploit. This led to deploying a reverse shell payload communicating with the threat actor’s command and control (C2) server. Attackers then downloaded a passive backdoor called SEASPY, enabling them to execute arbitrary commands on compromised devices.

SUBMARINE or DEPTHCHARGE is the latest malware family detected in connection with these attacks. In this context, to avoid being the target of similar critical attacks:

• Revoke And Rotate All Domain-Based And Local Credentials Present On ESG During Compromise.
• Revoke And Reissue All Certificates Residing In ESG At The Time Of Compromise.
• Monitor The Entire Environment For Using Credentials Residing In ESG During Compromise.
• Monitor The Entire Environment For The Use Of Certificates Available In ESG At The Time Of Compromise.
• Block Published IoC Findings Of The Attack By Security Solutions.