CISA: Whirlpool Backdoor Sends Barracuda ESG Security Down the Drain

Researchers have observed Chinas UNC4841 dropping the backdoor on Barracudas email security appliances, in a spiraling cyber-espionage campaign.

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued yet another alert related to the recent advanced persistent threat (APT) attacks targeting a command-injection vulnerability in Barracudas Email Security Gateway (ESG) appliances.
The alert
pertains to a backdoor dubbed Whirlpool that the group behind the attacks — China-based UNC4841 — has been deploying in an aggressive cyber espionage campaign that stretches back to at least last October. So far, the campaign has affected private and public sector organizations across multiple industries in as many as 16 countries.
Barracuda first reported on the attacks in May after receiving reports of unusual activity related to its ESG appliances. The companys investigation showed UNC4841 targeting a then zero-day vulnerability in versions 5.1.3.011 to 9.2.0.006 of Barracuda ESG appliances. The threat actor was essentially using the vulnerability — tracked as
CVE-2023-2868
— to gain initial access on systems belonging to a small number of targeted Barracuda customers.
Barracuda quickly issued a patch for the vulnerability. But by early June the company began urging affected customers to
urgently replace infected systems
rather than patch them, after observing UNC4841 actors take several measures to maintain a long-term presence on compromised systems.
Meanwhile, the attacks rage on.
CISA identified Whirlpool as a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the attackers command-and-control (C2) server. Malicious traffic in these reverse shells can be hard to detect because the traffic is encrypted, and often blends in with normal HTTPS traffic.
Googles Mandiant security group
first reported on Whirlpool
in a June blog post, after Barracuda asked the company to investigate the ongoing ESG attacks.
The
backdoor is one of several
that UNC4841 has been using in its campaign. Mandiants initial report listed three that the company discovered when investigating the Barracuda attacks: Seaspray, Seaside, and Saltwater. Seaspray is the threat groups primary backdoor for the campaign, Saltwater is a module for Barracudas SMTP daemon that contains backdoor functionality, and Seaside is a Lua-based module for the Barracuda SMTP daemon.
Austin Larsen, senior incident response consultant with Mandiant, says his companys analysis of the attacks showed UNC4841 actors are using Whirlpool alongside Seaspray and Seaside. Whirlpool is a C-based utility, Larsen says. [It] uses either a single CLI argument that is a given file path, or two arguments that are a given IP and port.
Unlike the other backdoors that UNC4841 has used so far in its campaign, Whirlpool is not a passive backdoor, Larsen says. The threat actor is using it instead to provide reverse shell capabilities for other malware families in its arsenal, such as Seaspray, he notes.
CISA also earlier in August flagged the use of the
Submarine backdoor
, which specifically obtains root privileges on an SQL database on Barracuda ESG appliances for a targeted subset of victims. The malware enables persistence, command-and-control, cleanup, and lateral movement on compromised networks, CISA warned. Mandiant, which helped CISA analyze the backdoor, described it as a manifestation of UNC4841s attempts to maintain persistent access on compromised systems after Barracuda issued a patch for CVE-2023-2868.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISA: Whirlpool Backdoor Sends Barracuda ESG Security Down the Drain