Whirlpool Malware

The United States Cybersecurity and Infrastructure Security Agency (CISA) has identified Advanced Persistent Threat (APT) attacks targeting a previously undisclosed zero-day vulnerability in the Barracuda Email Security Gateway (ESG) appliances.

The vulnerability in question, as outlined in a CISA alert, was exploited to introduce Seapsy and Whirlpool backdoor malware payloads onto the compromised devices. CISA has reported that they have managed to obtain four samples of the deployed malware threats, which include the Seapsy and Whirlpool backdoors. The compromise of the device transpired through threat actors capitalizing on the security gap in the Barracuda ESG. This vulnerability, tracked as CVE-2023-2868, enables remote command execution on ESG appliances operating versions 5.1.3.001 through 9.2.0.006.

The Whirlpool Malware Establishes a Backdoor Connection to Breached Systems

Seapsy is a well-known and enduring culprit within the realm of Barracuda offenses. It adeptly disguises itself as a genuine Barracuda service under the name 'BarracudaMailService,' affording threat actors to execute arbitrary commands on the ESG appliance. On a contrasting note, Whirlpool represents a new offensive backdoor harnessed by attackers to establish a secure connection in the form of a Transport Layer Security (TLS) reverse shell back to the Command-and-Control (C2) server.

Notably, Whirlpool was identified as a 32-bit Executable and Linkable Format (ELF). It operates by receiving two critical arguments—C2 IP address and port number—from a specific module. These parameters are essential in initiating the establishment of the aforementioned Transport Layer Security (TLS) reverse shell.

To delve further, the TLS reverse shell method serves as a technique employed in cyberattacks, functioning to establish a secure and encrypted communication conduit between a compromised system and a server under the control of the attackers. Unfortunately, the module that furnishes the essential arguments for this process was not available for analysis by CISA.

In addition to Seapsy and Whirlpool, a handful of other backdoor strains exploited in Barracuda ESG vulnerabilities were discovered, including Saltwater, Submarine, and Seaside.

CVE-2023-2868 Has Turned into a Significant Issue for Barracuda

The vulnerability affecting the ESG has evolved into a concerning ordeal for Barracuda, rapidly encountering a surge in exploits following the discovery of the zero-day vulnerability in October 2022. In May of the current year, the company officially acknowledged the existence of the vulnerability and promptly released patches to address the issue.

However, mere days later, Barracuda issued a cautionary statement to its customers, advising them to replace potentially vulnerable appliances, specifically those operating versions 5.1.3.001 through 9.2.0.006, even if the patches had been applied. Even months later, evidence from CISA suggests that ongoing exploits persist, leaving questions regarding Barracuda's strategy to resolve the matter effectively.