Malware spotted on Barracuda email gateways

By

CISA issues new warning.

The need to replace Barracuda email gateways has taken on a new urgency, with America’s Computer and Infrastructure Security Agency (CISA) warning it has identified three malware variants planted on vulnerable devices.

Malware spotted on Barracuda email gateways

Earlier this year, Barracuda advised that a remote code execution bug (CVE-2023-2868) in some of its email security gateways required affected devices to be replaced.

Some units clearly remain in service, and CISA has warned it has identified three malware variants it has spotted on Barracuda devices.

The first is a payload attackers use to drop and execute a reverse shell on the ESG appliance.

This was used to download a second backdoor, dubbed SEASPY, from the command and control (C2) server.

CISA described SEASPY as a passive, persistent backdoor masquerading as a legitimate Barracuda service, monitoring traffic from the C2 server. 

When the server sent a particular packet sequence, SEASPY established a TCP reverse shell to the C2 server, giving the threat actors the ability to execute arbitrary commands on the appliance.

CISA described the third malware variant, SUBMARINE, as a “novel persistent backdoor” that was planted in an SQL database on the appliance, and executed with root privileges.

“SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup,” CISA said.

“This malware poses a severe threat for lateral movement.”

The advisory includes compromise indicators, and YARA detection rules for all three malware variants.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?