CISA warns of new malware

A new warning from CISA advises of a new malware named, “Submarine”, which impacts Barracuda ESG devices.


Replace your device, and get it patched

After detecting attacks in May 2023, Barracuda opted to replace devices as the only way to mitigate the attacks affecting thousands of customers, including federal agencies.


Have a plan in place

Once an attacker gets in, they can do untold millions in damage.  Be sure to have a DR plan in place and a vetted process to ensure your network is robust and you can recover from a disaster if necessary.

Contact BBG today and let’s talk about how we can help with your DR and IT environment plans.


Contact Us Today!


news > Cyber-Attacks > Ransomware
by Kevin Wood

New “Submarine” malware hits federal agencies



CISA reveals new malware

A report released by CISA warns of a new malware dubbed, “Submarine” that affects Barracuda ESG (Email Security Gateway) devices, a majority of which are installed at US federal agencies around the country.

Barracuda stated that the attackers – a suspected group of pro-China supporting hackers named, “UNC4841” – had exploited a zero-day bug, CVE-2023-2868, which is now patched.

The attacks against Barracuda devices were detected in May 2023 but have been going on since October 2022 using multiple variants to attack the inner-workings of the devices in order to bypass security.  The infection exploited the CVE remote command injection and dropped malware named, “Saltwater” and “SeaSpy”, as well as a tool called “SeaSide”.  This combination of software gave the attackers remote access to their victims.

After attempting to mitigate the infection, Barracuda opted to offer replacement devices to all customers.  This came after a warning from them that the devices needed to be replaced due to the way the malware infected the system.  It was not only a software issue, but a hardware issue.

Now, CISA warned users of the new malware, “Submarine”, which infects all unpatched ESG devices, including those at the federal agencies.  This is the newest piece of software that takes advantage of a SQL database to execute code and claw it’s way into the system.

“SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup,” CISA said in a report published on Friday.

“In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.”

With these reports coming out, Barracuda has provided guidance to customers on how to ensure that attackers are no longer on their networks.  A patch also was released to close up the loop hole created with the “Submarine” malware.

If you use Barracuda ESG hardware and software at your home or business, please be sure to reach out to Barracuda for support.  If you detect suspicious activity, you are urged to contact CISA’s 24/7/365 Operations Center by emailing

As we’ve discussed in other articles, it’s important to have proper backups of systems, including configuration settings for firewalls and other IT devices.  A robust network and proper monitoring goes a long way.

To discuss your backup and disaster recovery plans, or to discuss what you’re doing in your IT environment and where you want to go, email us today and get the conversation started!  Click the button below and let’s find out how we can help you!

  • Do you have a proper backup and disaster recovery solution?
  • Is your IT environment properly secured and monitored for security events?
  • Do you have a way of getting back up and running in the event of a disaster or ransomware attack?
  • If you have answered no to any, or all, of these questions, click the button below and contact us today to see how we can help you ensure your DR plans and IT environment are where they need to be!