Connect with us

Hi, what are you looking for?


Malware & Threats

Barracuda Zero-Day Used to Target Government, Tech Organizations in US, APJ

The new Barracuda ESG zero-day CVE-2023-7102 has been used by Chinese hackers to target organizations in the US and APJ region.

Barracuda zero day exploited by China

The recently disclosed vulnerability affecting Barracuda Email Security Gateway (ESG) appliances has been exploited as a zero-day to target government, high-tech and IT organizations, according to Mandiant.

The ESG vulnerability, tracked as CVE-2023-7102, is an arbitrary code execution flaw impacting ‘Spreadsheet::ParseExcel’, an open source library used by ESG devices to check Excel email attachments for malware.  

Attackers can plant malicious code inside a specially crafted Excel file and send it as an attachment to the targeted organization. The malicious code is executed without any user interaction when the ESG appliance scans the email, enabling the attackers to gain access to systems and steal valuable data. 

Mandiant, which has helped the vendor investigate the attacks, told SecurityWeek that the China-linked threat actor tracked as UNC4841 was spotted exploiting the zero-day on December 20, but evidence suggests that the campaign started on or about November 30.

The attacks, part of UNC4841’s cyberespionage operations, targeted a “limited number” of government, IT and high-tech organizations, mainly located in the United States and the Asia-Pacific and Japan (APJ) region. 

The hackers exploited CVE-2023-7102 to deliver new variants of the SeaSpy and SaltWater malware to Barracuda customers. 

“On December 21 and 22, 2023, Barracuda responded promptly by deploying updates to remediate the vulnerability and the ESG appliances that may have been compromised by the newly identified malware variants. While the ESG updates do not require any customer action, Mandiant still recommends Barracuda’s customers read through the advisory and follow their recommended guidance,” said Austin Larsen, Mandiant Senior Incident Response Consultant, Google Cloud.

The Chinese cyberspy group previously exploited a Barracuda ESG vulnerability tracked as CVE-2023-2868 to deliver SeaSpy, SaltWater and SeaSide backdoors, as well as other malware. 

Advertisement. Scroll to continue reading.

This flaw had been exploited as a zero-day for more than half a year before the attacks were discovered and Barracuda released patches. However, the threat actor was prepared for remediation efforts, forcing the vendor to urge customers to replace compromised appliances.

The first round of attacks targeted government, IT, high-tech, telecoms, manufacturing, healthcare, aerospace and defense, and semiconductor organizations across over a dozen countries. Many of the targeted government organizations were in North America.

“This latest campaign further demonstrates this actor’s persistence from the last UNC4841 campaign. Mandiant anticipates this threat actor may broaden their targeted attack surface to other appliances with a greater variety of exploits in the future,” Larsen said. 

Related: Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure

Related: CISA Analyzes Malware Used in Barracuda ESG Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.