The recently disclosed vulnerability affecting Barracuda Email Security Gateway (ESG) appliances has been exploited as a zero-day to target government, high-tech and IT organizations, according to Mandiant.
The ESG vulnerability, tracked as CVE-2023-7102, is an arbitrary code execution flaw impacting ‘Spreadsheet::ParseExcel’, an open source library used by ESG devices to check Excel email attachments for malware.
Attackers can plant malicious code inside a specially crafted Excel file and send it as an attachment to the targeted organization. The malicious code is executed without any user interaction when the ESG appliance scans the email, enabling the attackers to gain access to systems and steal valuable data.
Mandiant, which has helped the vendor investigate the attacks, told SecurityWeek that the China-linked threat actor tracked as UNC4841 was spotted exploiting the zero-day on December 20, but evidence suggests that the campaign started on or about November 30.
The attacks, part of UNC4841’s cyberespionage operations, targeted a “limited number” of government, IT and high-tech organizations, mainly located in the United States and the Asia-Pacific and Japan (APJ) region.
The hackers exploited CVE-2023-7102 to deliver new variants of the SeaSpy and SaltWater malware to Barracuda customers.
“On December 21 and 22, 2023, Barracuda responded promptly by deploying updates to remediate the vulnerability and the ESG appliances that may have been compromised by the newly identified malware variants. While the ESG updates do not require any customer action, Mandiant still recommends Barracuda’s customers read through the advisory and follow their recommended guidance,” said Austin Larsen, Mandiant Senior Incident Response Consultant, Google Cloud.
The Chinese cyberspy group previously exploited a Barracuda ESG vulnerability tracked as CVE-2023-2868 to deliver SeaSpy, SaltWater and SeaSide backdoors, as well as other malware.
This flaw had been exploited as a zero-day for more than half a year before the attacks were discovered and Barracuda released patches. However, the threat actor was prepared for remediation efforts, forcing the vendor to urge customers to replace compromised appliances.
The first round of attacks targeted government, IT, high-tech, telecoms, manufacturing, healthcare, aerospace and defense, and semiconductor organizations across over a dozen countries. Many of the targeted government organizations were in North America.
“This latest campaign further demonstrates this actor’s persistence from the last UNC4841 campaign. Mandiant anticipates this threat actor may broaden their targeted attack surface to other appliances with a greater variety of exploits in the future,” Larsen said.