Connect with us

Hi, what are you looking for?


Email Security

Chinese Hackers Deliver Malware to Barracuda Email Security Appliances via New Zero-Day

Chinese hackers exploited a zero-day tracked as CVE-2023-7102 to deliver malware to Barracuda Email Security Gateway (ESG) appliances.

Barracuda zero day exploited by China

China-linked hackers continue to target Barracuda Email Security Gateway (ESG) appliances, with recent attacks involving exploitation of a new zero-day vulnerability.

It came to light in May 2023 that a Barracuda ESG zero-day tracked as CVE-2023-2868 had been exploited since at least October 2022 to deliver malware and steal data from a limited number of organizations that had been using the email security product. 

In June, Mandiant attributed the attacks with high confidence to UNC4841, a cyberespionage group believed to be sponsored by the Chinese government. 

In these attacks, the hackers exploited CVE-2023-2868 for initial access to the Barracuda devices by sending specially crafted emails to the targeted organizations. The attackers then delivered custom backdoors named SeaSpy, SaltWater and SeaSide, a rootkit named SandBar, and several trojanized versions of Barracuda LUA modules.

Barracuda rushed to release patches in response to the attacks, but the hackers were relentless and continued targeting devices. The vendor and the FBI strongly urged organizations to isolate and replace compromised devices.

Barracuda has now issued a new warning. The company informed the public on Christmas Eve that the same China-linked UNC4841 group has identified a new zero-day vulnerability affecting ESG appliances.

The new flaw, tracked as CVE-2023-7102 and described as an arbitrary code execution vulnerability, impacts ‘Spreadsheet::ParseExcel’, an open source library used by the Amavis virus scanner present in ESG devices. 

The hackers exploited the zero-day to deliver new variants of the SeaSpy and SaltWater malware to “a limited number” of devices. The exploit leveraged specially crafted Excel files attached to emails sent to victims.  

Advertisement. Scroll to continue reading.

“On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” Barracuda said in a blog post. “No action is required by customers at this time, and our investigation is ongoing.”

The company pointed out that there is no patch for the vulnerability in the ‘Spreadsheet::ParseExcel’ library, to which the CVE identifier CVE-2023-7101 has been assigned.

“For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures,” Barracuda said.

The company has made available new indicators of compromise (IoCs) for the recently observed malware variants, exploits, and infrastructure. 

Mandiant previously said UNC4841 had targeted entities across 16 countries, including government organizations and officials, academics and academic research organizations, and foreign trade offices. The cybersecurity firm said more than half of the victims were in the Americas and over a quarter were government organizations. Several of the victims were Asian entities that were of interest to China.

Related: Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack

Related: CISA Analyzes Malware Used in Barracuda ESG Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...