China-linked hackers continue to target Barracuda Email Security Gateway (ESG) appliances, with recent attacks involving exploitation of a new zero-day vulnerability.
It came to light in May 2023 that a Barracuda ESG zero-day tracked as CVE-2023-2868 had been exploited since at least October 2022 to deliver malware and steal data from a limited number of organizations that had been using the email security product.
In June, Mandiant attributed the attacks with high confidence to UNC4841, a cyberespionage group believed to be sponsored by the Chinese government.
In these attacks, the hackers exploited CVE-2023-2868 for initial access to the Barracuda devices by sending specially crafted emails to the targeted organizations. The attackers then delivered custom backdoors named SeaSpy, SaltWater and SeaSide, a rootkit named SandBar, and several trojanized versions of Barracuda LUA modules.
Barracuda rushed to release patches in response to the attacks, but the hackers were relentless and continued targeting devices. The vendor and the FBI strongly urged organizations to isolate and replace compromised devices.
Barracuda has now issued a new warning. The company informed the public on Christmas Eve that the same China-linked UNC4841 group has identified a new zero-day vulnerability affecting ESG appliances.
The new flaw, tracked as CVE-2023-7102 and described as an arbitrary code execution vulnerability, impacts ‘Spreadsheet::ParseExcel’, an open source library used by the Amavis virus scanner present in ESG devices.
The hackers exploited the zero-day to deliver new variants of the SeaSpy and SaltWater malware to “a limited number” of devices. The exploit leveraged specially crafted Excel files attached to emails sent to victims.
“On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” Barracuda said in a blog post. “No action is required by customers at this time, and our investigation is ongoing.”
The company pointed out that there is no patch for the vulnerability in the ‘Spreadsheet::ParseExcel’ library, to which the CVE identifier CVE-2023-7101 has been assigned.
“For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures,” Barracuda said.
The company has made available new indicators of compromise (IoCs) for the recently observed malware variants, exploits, and infrastructure.
Mandiant previously said UNC4841 had targeted entities across 16 countries, including government organizations and officials, academics and academic research organizations, and foreign trade offices. The cybersecurity firm said more than half of the victims were in the Americas and over a quarter were government organizations. Several of the victims were Asian entities that were of interest to China.