Whirlpool malware rips open old Barracuda wounds

Advanced persistent threat (APT) attacks targeting a former zero-day remote command injection vulnerability in Barracuda email security gateway (ESG) appliances have been detected by the US cybersecurity and infrastructure security agency (CISA).

The vulnerability, according to a CISA alert, was used to plant malware payloads of Seapsy and Whirlpool backdoors on the compromised devices.

While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.

“CISA obtained four malware samples — including Seapsy and Whirlpool backdoors,” the CISA alert said. “The device was compromised by threat actors exploiting the Barracuda ESG vulnerability.”

Tracked as CVE-2023-2868, the vulnerability allows remote command execution on ESG appliances running versions 5.1.3.001 to 9.2.0.006.

A long list of Barracuda offenders

Whirlpool was identified as a 32-bit executable and linkable format (ELF) that takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell.

A TLC reverse shell is a method used in cyberattacks to establish a secure communication channel between a compromised system and an attacker-controlled server.

The module that passes the two arguments was not available for CISA analysis.

Apart from Seapsy and Whirlpool, a few other strains of backdooring in Barracuda ESG exploits include Saltwater, Submarine, and Seaside.

CVE-2023-2868 plaguing Barracuda for long

The ESG vulnerability has been a…

Source…