Malware Actively Planted on Vulnerable Barracuda email gateways

Replacing the vulnerable and very probably compromised Barracuda email gateways has become even more urgent due to the discoveryof three malicious software variants present on vulnerable devices. Barracuda had previously alerted about a remote code execution bug (CVE-2023-2868) in some of its email security gateways, which required replacement of affected devices.

Despite the advisory, some units continue to be in operation, and CISA has now identified the three malware variants found on Barracuda devices.

1. The first malware serves as a payload, enabling attackers to execute a reverse shell on the ESG appliance,
2. The second malware is a second backdoor called SEASPY is downloaded from the command and control (C2) server. Disguised as a legitimate Barracuda service, SEASPY acts as a passive, persistent backdoor that covertly monitors traffic from the C2 server. Upon receiving a specific packet sequence, SEASPY establishes a TCP reverse shell to the C2 server, granting threat actors the ability to execute arbitrary commands on the appliance.
3. The third malware, SUBMARINE, is described as a novel and persistent backdoor that is implanted in an SQL database on the appliance and executed with root privileges. SUBMARINE utilizes multiple components, including a SQL trigger, shell scripts, and a loaded library for a Linux daemon, collectively facilitating execution with root privileges, command and control capabilities, and cleanup. CISA has highlighted that this malware presents a serious risk for lateral movement.

The advisory provided by CISA includes indicators of compromise and YARA detection rules for all three malware variants, aiding in the identification and detection of these threats.