HQ/EMEAFind out how we can help your business
CISA, an American government cybersecurity agency, has uncovered a new backdoor malware called Whirlpool used in cybercriminal operations against compromised Barracuda ESG devices.
A few months ago, Barracuda disclosed that the alleged China-backed hacking group, UNC4841, had infiltrated Email Security Gateway appliances during data-theft attacks that exploited the CVE-2023-2868 zero-day flaw.
The vulnerability in question has a critical severity score of 9.8 out of 10 that uses a remote command injection flaw that affects Barracuda ESG versions 5.1.3.001 up to 2.2.0.006.
The researchers later discovered that the malicious operation began in October last year. The actors utilised the bug to install the previously unidentified malware strains called Saltwater and SeaSpy. Moreover, the actors have also exploited the flaw to deploy a malicious tool called SeaSide to establish a reverse shell for more straightforward remote access on infected devices.
Barracuda offered replacement devices to all impacted customers for free instead of fixing the affected devices with new patches. Hence, the researchers believe the attacks have more destructive capabilities than expected.
The Whirlpool malware campaign is the new attack that attacks Barracuda ESG devices.
Earlier this week, CISA revealed the Whirlpool backdoor malware that they found in the threat campaigns against Barracuda ESG devices.
The malware’s discovery makes it the third backdoor utilised by threat actors in the attacks that target the Barracuda ESG. This detail also implies why the company replaced devices rather than fix the compromised software.
The researchers explained that the malware sample they found in an infected Barracuda ESG device was a 32-bit ELF file. Next, the malware gathers two arguments from a module to launch a Transport Layer Security reverse shell. Unfortunately, the module that passes the arguments is unavailable for further analysis.
The Whirlpool malware appears to have operated under the ‘pd’ process. CISA advises users to contact relevant authorities if they find suspicious activities in their Barracuda ESG appliances or discover signs of compromise from backdoors.
Experts expect these exploits to continue if admins cannot find solutions for the exploit.
