9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.028 Low
EPSS
Percentile
89.2%
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a βnovel persistent backdoorβ called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.
βSUBMARINE comprises multiple artifacts β including a SQL trigger, shell scripts, and a loaded library for a Linux daemon β that together enable execution with root privileges, persistence, command and control, and cleanup,β the agency said.
The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection.
Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841, leveraged the flaw as a zero-day in October 2022 to gain initial access to victim environments and implanted backdoors to establish and maintain persistence.
To that end, the infection chain involved sending phishing emails with booby-trapped TAR file attachments to trigger exploitation, leading to the deployment of a reverse shell payload to establish communication with the threat actorβs command-and-control (C2) server, from where a passive backdoor known as SEASPY is downloaded for executing arbitrary commands on the device.
SUBMARINE, also codenamed DEPTHCHARGE by the Google-owned threat intelligence firm, is the latest malware family to be discovered in connection with the operation. Executed with root privileges, it resides in a Structured Query Language (SQL) database on the ESG appliance, and βreceives encrypted commands and hides its responses in SMTP traffic.β
Itβs believed to have been βdeployed in response to remediation efforts,β echoing Mandiantβs characterization of the adversary as an aggressive actor capable of quickly altering their malware and employing additional persistence mechanisms in an attempt to maintain their access.
The agency further said it βanalyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database,β and that it βposes a severe threat for lateral movement.β
Barracuda, in a revised advisory, said SUBMARINE βappeared on a very small number of already compromised ESG appliances,β emphasizing that βcustomers should discontinue use of the compromised ESG appliance and contact Barracuda support to obtain a new ESG virtual or hardware appliance.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.028 Low
EPSS
Percentile
89.2%