The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a “novel persistent backdoor” called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.
The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection.
Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841, leveraged the flaw as a zero-day in October 2022 to gain initial access to victim environments and implanted backdoors to establish and maintain persistence.
SUBMARINE, also codenamed DEPTHCHARGE by the Google-owned threat intelligence firm, is the latest malware family to be discovered in connection with the operation. Executed with root privileges, it resides in a Structured Query Language (SQL) database on the ESG appliance, and “receives encrypted commands and hides its responses in SMTP traffic.”
It’s believed to have been “deployed in response to remediation efforts,” echoing Mandiant’s characterization of the adversary as an aggressive actor capable of quickly altering their malware and employing additional persistence mechanisms in an attempt to maintain their access.
The agency further said it “analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database,” and that it “poses a severe threat for lateral movement.”
Source: https://thehackernews.com/