The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently revealed critical details regarding a sophisticated backdoor malicious software identified as SUBMARINE. This malware has reportedly been employed by threat actors in connection with an exploit targeting Barracuda Email Security Gateway (ESG) appliances, which has raised alarms within the cybersecurity landscape.
According to CISA’s findings, SUBMARINE consists of various components, such as SQL triggers, shell scripts, and a loaded library tailored for a Linux daemon. Collectively, these elements facilitate execution with root privileges, ensuring persistence, and enabling command and control capabilities, while also providing methods for cleaning up traces of the intrusion.
The revelations stem from an analysis of malware samples taken from an organization compromised due to a critical vulnerability in ESG devices, referenced as CVE-2023-2868, which possesses a CVSS score of 9.8. This vulnerability allows attackers to execute remote command injections, resulting in unauthorized access and potential data breaches.
Evidence suggests that the attackers, suspected to be affiliated with a Chinese actor tracked by Mandiant as UNC4841, exploited this zero-day vulnerability starting in October 2022. By doing so, they were able to gain initial access to targeted networks and subsequently deploy backdoors to maintain footholds within compromised environments.
The attack strategy involved sending phishing emails that contained malicious TAR file attachments designed to exploit the vulnerability. This technique triggered the execution of a reverse shell payload, establishing a communication channel with the attackers’ command-and-control (C2) server. From this C2 server, a passive backdoor known as SEASPY was downloaded, enabling the execution of arbitrary commands on the infected devices.
The SUBMARINE malware, also referred to as DEPTHCHARGE by certain cybersecurity firms, operates with root privileges and resides within a structured query language (SQL) database on the ESG appliance. Notably, it receives encrypted commands and conceals its responses within SMTP traffic, thereby complicating detection efforts by the targeted organization.
It is believed that the deployment of SUBMARINE was a tactical response to active remediation efforts undertaken by affected organizations. Mandiant has previously characterized these adversaries as agile and adaptive, capable of quickly modifying their malware and implementing additional persistence mechanisms to uphold their access to victim networks.
CISA further indicated that its analysis of artifacts related to SUBMARINE included the contents of a compromised SQL database, highlighting the severe threat posed for lateral movement within organizations impacted by this exploit.
Update
In a subsequent advisory, Barracuda disclosed that SUBMARINE had been detected on a limited number of already compromised ESG appliances. They emphasized the urgency for customers to cease usage of these affected devices and contact Barracuda support to facilitate the acquisition of new ESG virtual or hardware appliances.
