The U.S. Cybersecurity & Infrastructure Safety Company (CISA) has found that the backdoor malware named ‘Whirlpool’ utilized in assaults on compromised Barracuda E mail Safety Gateway (ESG) units.
In Might, Barracuda revealed a suspected pro-China hacker group (UNC4841) had breached ESG (E mail Safety Gateway) home equipment in data-theft assaults utilizing the CVE-2023-2868 zero-day vulnerability.
CVE-2023-2868 is a vital severity (CVSS v3: 9.8) distant command injection vulnerability impacting Barracuda ESG variations 5.1.3.001 by way of 9.2.0.006.
It was later found that the assaults began in October 2022 and had been used to set up beforehand unknown malware named Saltwater and SeaSpy and a malicious device known as SeaSide to ascertain reverse shells for simple distant entry.
As a substitute of fixing units with software program updates, Barracuda provided substitute units to all affected clients at no cost, indicating that the assaults had been extra damaging than initially thought.
CISA has since shared additional particulars about an extra malware named Submariner that was deployed within the assaults.
Whirlpool malware
Yesterday, CISA disclosed the invention of one other backdoor malware named ‘Whirlpool’ [VirusTotal] that was discovered for use within the assaults on Barracuda ESG units.
The invention of Whirlpool makes this the third distinct backdoor used within the assaults focusing on Barracuda ESG, as soon as once more illustrating why the corporate selected to switch units relatively than repair them with software program.
“This artifact is a 32-bit ELF file that has been recognized as a malware variant named “WHIRLPOOL,” reads CISA’s up to date Barracuda ESG malware report.
“The malware takes two arguments (C2 IP and port quantity) from a module to ascertain a Transport Layer Safety (TLS) reverse shell.”
“The module that passes the arguments was not obtainable for evaluation.”
From submissions to VirusTotal, the Whirlpool malware seems to have run beneath the ‘pd‘ course of.
Mandiant was the primary to doc Whirlpool in a June 2023 report, attributing its use to Chinese language risk actors.
Beforehand, on Might 30, 2023, Barracuda discovered SeaSpy on hacked ESG home equipment, a persistent passive backdoor that masquerades as a respectable service, specifically “BarracudaMailService,” and runs instructions on behalf of the risk actors.
On July 28, 2023, CISA warned of a beforehand unknown backdoor in breached Barracuda units named ‘Submarine.’
Submarine resides within the SQL database of ESG, permitting root entry, persistence, and command and management communications.
Indicators of compromise and YARA guidelines that assist detect infections by the 4 newly found variants of SeaSpy and Whirlpool are offered in a separate doc.
Should you establish suspicious exercise in your Barracuda ESG equipment or uncover indicators of compromise by any of the three talked about backdoors, you might be urged to contact CISA’s 24/7 Operations Middle at “report@cisa.gov” to assist with their investigations.
