CISA warns of a new backdoor malware called Submarine – targeting Barracuda Email Security Gateway for spying on federal agencies.

Barracuda revealed the threat actor – a suspected Chinese hacker group – is hitting a zero-day bug to drop malware and reverse shells for persistence. CISA asks agencies to check their networks thoroughly for potential compromises and contact them if needed.

Exploiting Barracuda ESG For Spying

While many of us knew Barracuda for making storage devices, the company is also skilled in making security devices for email and various applications. Serving over 200,000 organisations, Barracuda’s high-profile clients include Samsung, Delta Airlines, Kraft Heinz, Mitsubishi and some US federal agencies.

Thus, any issues arising in its services will profoundly impact the critical organisations relying on it. And CISA has just warned of that this week. As per a new security notification, CISA warns of a new malware known as Submarine used by hackers to backdoor Barracuda ESG appliances on federal agencies’ networks!

Barracuda confirms this issue, saying that a zero-day bug (tracker as CVE-2023-2868) is what hackers are leveraging to exploit the devices. The bug is a remote command injection flaw that drops a previously unknown malware called Saltwater and SeaSpy, and a tool called SeaSide to fit reverse shells with easy remote access.

In a deeper analysis, CISA describes the Submarine package as a multi-component backdoor for detection evasion, persistence, and data harvesting. While hackers’ motives aren’t properly established, they’re primarily for spying and stealing sensitive data.

Advising the federal agencies to review their environments thoroughly, CISA says the malware can move laterally in a compromised network. And those who find any compromised event should immediately contact CISA’s 24/7 Operations Center at [email protected].

This comes a month after the company replaced the ESG devices of its clients for free – citing an RCE flaw that gave hackers persistent access to the compromised devices. Since they can’t be easily removed, Barracuda offered a free replacement of the units.