CISA: Submarine Backdoor Torpedoes Barracuda Email Security

A China-nexus cyber-espionage campaign rages on with the fourth backdoor to surface in the wild that takes advantage of the CVE-2023-2868 zero-day security bug — with severe threat of lateral movement, CISA warns.

IT security teams may find themselves soon underwater, so to speak, thanks to dangerous new malware dubbed Submarine that is zeroing in a zero-day vulnerability in Barracudas Email Security Gateway (ESG) appliances.
A China-nexus threat actor tracked as UNC4841 has been dropping multiple payloads on vulnerable Barracuda appliances over the past several months in an attempt to get around email security at targeted organizations -- part of a seemingly unflagging cyber espionage campaign that likely stretches back to October. Submarine is one of four backdoors that researchers have observed being used in the cyberattacks so far.
Austin Larsen, senior incident response consultant with Mandiant, says Submarine (aka Depthcharge) is different and distinct from the other three backdoors in that it specifically obtains root privileges on an SQL database on Barracuda ESG appliances, and only on priority victims.
Mandiant has identified Submarine on a subset of victims where Mandiant is engaged in incident response, he says. UNC4841 has shown a special interest in a subset of priority victims. It is at these victims that additional malware such as [Submarine] is deployed to maintain persistence in response to remediation efforts.
The US Cybersecurity and Infrastructure Security Agency (CISA) first flagged the surfacing of Submarine, describing the malware as novel and persistent.
Submarine comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup, they said in an advisory.
CISA analyzed a total of seven Submarine samples from one particular victim organization, along with related artifacts that showed the malware had obtained sensitive information from the compromised SQL database.
This malware poses a severe threat for lateral movement,
CISA warned
. The agency urged organizations with affected devices to implement its list of recommended actions for mitigating the threat, available in the advisory.
In May, Barracuda
first disclosed
— and quickly patched — a remote command-injection vulnerability, which exists in versions 5.1.3.011 to 9.2.0.006 of Barracuda ESG (CVE-2023-2868), in a module that, ironically enough, screens email attachments for malware and other potentially unwanted software.
However, it has become apparent since then that the threat actor has been able to maintain persistence on compromised Barracuda ESG systems even after the company released patches and containment measures —thanks to the attackers ability to quickly tweak their malware in response to Barracudas efforts to mitigate the threat.
The attacks have been so virulent that Barracuda on June 8 took the highly unusual step of telling customers to
rip and replace
their appliances rather than attempting to further patch them.
Barracuda hired Googles Mandiant group to investigate the attacks. Mandiant in June said it had identified UNC4841, a
likely China-based advanced persistent threat (APT) actor
, as the culprit behind an aggressive cyber espionage campaign targeting organizations in multiple sectors across 16 countries.
Mandiant said it had observed the threat actor deploy a trio of backdoors — Saltwater, Seaspy, and Seaside — after exploiting CVE-2023-2868. The three backdoors packed a variety of functions for stealing data, monitoring affected systems, and receiving and executing a range of malicious remote commands.

According to Mandiants Larsen, Saltwater is a module for Barracudas SMTP daemon that contains backdoor functionality; Seaspy is the primary passive backdoor that UNC4841 has used throughout the campaign; and Seaside is a Lua-based module for the Barracuda SMTP daemon.
Barracuda on Friday updated its advisory on UNC 4841 following CISAs discovery of the fourth backdoor. The company said it had analyzed Submarine in collaboration with Mandiant and found the malware appeared only on a very small subset of already compromised ESG devices.
This additional malware was utilized by the threat actor in response to Barracudas remediation actions in an attempt to create persistent access on customer ESG appliances, Barracuda said. Barracudas recommendation is unchanged. Customers should discontinue use of the compromised ESG appliance and contact Barracuda support to obtain a new ESG virtual or hardware appliance.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISA: Submarine Backdoor Torpedoes Barracuda Email Security