Advanced Backdoor Attack "SUBMARINE" Uncovered in Barracuda Email Security Gateway (ESG) Appliances

Advanced Backdoor Attack “SUBMARINE” Uncovered in Barracuda Email Security Gateway (ESG) Appliances

[vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column][vc_empty_space height=”10px”][vc_column_text]

Hackers used a sophisticated backdoor called “SUBMARINE” in recent attacks against Barracuda Email Security Gateway (ESG) appliances, the US Cybersecurity and Infrastructure Security Agency (CISA) revealed on Friday.

Also known as DEPTHCHARGE, the backdoor consists of several components, including a SQL trigger, shell scripts, and a Linux daemon-laden library that work together to provide unauthorized access with root privileges, persistence, command and control capabilities, as well as cleanup functions.

The backdoor was discovered by analyzing malware samples from an undisclosed organization that fell victim to threat actors exploiting a critical vulnerability in ESG devices, CVE-2023-2868. This vulnerability allows remote command injection.

🔍 @CISAgov released malware analysis reports on #Barracuda backdoors. Threat actors exploited CVE-2023-2868 on an #FCEB network prior to rapid detection and remediation. See more, including #IOCs and #YARArules at https://t.co/xeldyc4XGT #Cybersecurity pic.twitter.com/2hGLH6WCKY

— CISA Cyber (@CISACyber) July 28, 2023

[/vc_column_text][vc_column_text]

The attackers, suspected to be linked to China and tracked by Mandiant as UNC4841, exploited this zero-day vulnerability in October 2022 to gain initial access to their targets. They then deployed backdoors to ensure continued access and control.

The attack chain involved sending phishing emails containing malicious TAR file attachments to trigger the exploit. This led to deploying a reverse shell payload communicating with the threat actor’s command and control (C2) server. Attackers then downloaded a passive backdoor called SEASPY, enabling them to execute arbitrary commands on compromised devices.

SUBMARINE or DEPTHCHARGE is the latest malware family detected in connection with these attacks. In this context, to avoid being the target of similar critical attacks:

Revoke And Rotate All Domain-Based And Local Credentials Present On ESG During Compromise.
Revoke And Reissue All Certificates Residing In ESG At The Time Of Compromise.
Monitor The Entire Environment For Using Credentials Residing In ESG During Compromise.
Monitor The Entire Environment For The Use Of Certificates Available In ESG At The Time Of Compromise.
Block Published IoC Findings Of The Attack By Security Solutions.

[/vc_column_text][vc_column_text]

You can find IoCs in our GitHub Repo.

[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

Advanced Backdoor Attack “SUBMARINE” Uncovered in Barracuda Email Security Gateway (ESG) Appliances

Share This:

Ready to Take The Next Step?

About the Program

Become A Partner

Partner Portal Login

Blog

Datasheets

e-Books

Events

Glossary

Threat Intelligence Researches

Reports

Security News

Infographics

Whitepapers

Webinars

Platform Overview

Brand Protection

External Attack Surface Management

Cyber Threat Intelligence

Fraud Protection

Supply Chain Security

About Us

Careers

News

Awards

Logos & Press Kit

Preventing Data Leakage

Phishing Monitoring

Account Takeover Detection

Stolen Credit Cards

Dark Web Monitoring

Remediation and Takedown

Customer Stories

Technology Integrations