Security News > 2023 > July > New persistent backdoor used in attacks on Barracuda ESG appliances
The Cybersecurity and Infrastructure Agency has published an analysis report on the backdoors dropped by attackers exploiting CVE-2023-2868, a remote command injection vulnerability in Barracuda Email Security Gateway appliances.
In late May, Barracuda warned that attackers have been exploiting the vulnerability in Barracuda Networks' ESG physical appliances.
As previously specified by Mandiant, the threat actors then set up a reverse shell backdoor on the appliances, which they used to download the SEASPY backdoor, along with additional malicious payloads.
"SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service. SEASPY monitors traffic from the actor's C2 server," noted the CISA advisory alert.
After initial attempts to address the vulnerability by releasing a patch or by urging customers to implement mitigations, Barracuda finally issued an urgent action notice advising them to replace their ESG appliances as soon as possible.
CISA has identified a new malware type on the compromised ESG appliances, which has been dubbed SUBMARINE. "SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language database on the ESG appliance," the Agency noted.
News URL
https://www.helpnetsecurity.com/2023/07/31/barracuda-esg-backdoors/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-24 | CVE-2023-2868 | Command Injection vulnerability in Barracuda products A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. | 9.8 |