A Chinese threat actor that compromised federal networks by targeting Barracuda security appliances did so in part thanks to a newly revealed backdoor dubbed “Submarine,” a leading security agency has revealed.
The original Mandiant report on the attacks highlighted three backdoors used by the group: Seaside, Saltwater and Seaspy. However, in an update on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) revealed an additional piece of backdoor malware was deployed to “establish and maintain persistence.”
Read more on the Barracuda campaign: Barracuda Zero-Day Exploited by Chinese Actor
Submarine is a “novel persistent backdoor executed with root privileges” that was hidden in a Structured Query Language (SQL) database on the targeted Barracuda Email Security Gateway (ESG) appliances, CISA said.
“Submarine comprises multiple artifacts – including a SQL trigger, shell scripts, and a loaded library for a Linux daemon – that together enable execution with root privileges, persistence, command and control, and cleanup,” the agency claimed.
“CISA also analyzed artifacts related to Submarine that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement.”
Last month, Barracuda took the unusual decision to offer all of its affected ESG customers a replacement device, whatever their patch status.
That’s because the threat group it was tracking with Mandiant had been unusually persistent.
The vendor discovered the campaign on May 19 and released patches to contain and remediate the threat two days later. However, Chinese actor UNC4841 switched malware and deployed new persistence mechanisms to maintain access.
It then began to increase the frequency of its operations, forcing Barracuda to step in with the offer of new hardware.
UNC4841 originally gained access to victim networks via zero-day vulnerability CVE-2023-2868, which is a remote command injection bug affecting Barracuda ESG appliances 5.1.3.001–9.2.0.006.