In a recent alert by the Cybersecurity and Infrastructure Security Agency (CISA), a new and dangerous malware called "Submarine" has come to light. This malware was specifically designed to infiltrate Barracuda ESG (Email Security Gateway) appliances, posing a significant threat to federal agencies' networks. The attackers responsible for this breach took advantage of a previously unknown vulnerability known as CVE-2023-2868, enabling them to conduct data-theft attacks without detection.
At Armoryze, we take cybersecurity seriously, and incidents like this highlight the importance of staying proactive in safeguarding your organization against such threats. Our Risk-Based Vulnerability Management Service is designed to delve deep into the insights of vulnerabilities like CVE-2023-2868 and provide you with comprehensive protection against potential exploits. By partnering with us, you can fortify your defenses and prevent malicious actors from gaining unauthorized access to your systems. Protect your business with Armoryze and stay ahead of cyber threats.
The Attack Timeline:
The attacks were detected in May, but it appears they have been active since at least October 2022. The attackers targeted the Barracuda ESG appliances by exploiting the CVE-2023-2868 remote command injection zero-day vulnerability. They used this opportunity to deploy various malware components, including Submarine, Saltwater, SeaSpy, and SeaSide, to establish reverse shells for easy remote access.
Response from Barracuda:
After the attacks were identified, Barracuda took proactive measures to mitigate the impact on its customers. They issued a warning and provided replacement devices at no charge to affected customers instead of merely re-imaging them with new firmware. However, the attackers responded with another malware strain, Submarine, to maintain persistent access on customer ESG appliances.
Details about Submarine Malware:
Submarine is a type of backdoor that has different parts and works within a database called Structured Query Language (SQL) on the ESG appliance. This backdoor can do several things like carrying out commands with high-level access, staying hidden for a long time, managing commands, and cleaning up its traces. CISA also found some related files attached to emails using Multipurpose Internet Mail Extensions (MIME). These files contained sensitive information taken from the compromised SQL database.
Details of malware components:
Advice for Affected Customers:
If you suspect your Barracuda ESG appliance has been compromised, it's essential to discontinue its use and seek assistance from Barracuda support. They recommend obtaining a new ESG virtual or hardware appliance to replace the compromised one.
In light of this incident, it's crucial for users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
The emergence of Submarine malware and its successful exploitation of the CVE-2023-2868 vulnerability highlights the importance of proactive cybersecurity measures. Protecting your organization against such threats requires vigilant monitoring, timely patching, and a strong security strategy. At Armoryze, we understand the criticality of cybersecurity and offer Managed Security services to help safeguard your business from cyber threats. Schedule a FREE consultation with our expert team today to fortify your cybersecurity defenses.
Schedule Your FREE Consultation Today! Don't let cyber threats compromise your business. Take action now and schedule a FREE consultation with our Cybersecurity experts. Let us assess your organization's security posture and recommend tailored Managed Security services to mitigate risks effectively.
Empower your business with the best defense against cyberattacks. Contact us and stay one step ahead of potential threats with Armoryze. Your cybersecurity is our priority!