Barracuda disclosed that a recently identified zero-day in its Email Security Gateway (ESG) appliances was exploited by Chinese threat actors. The exploitation resulted in the deployment of a backdoor on a “limited number” of devices.
The company linked the activity to a threat actor, identified as UNC4841 by Mandiant, a subsidiary of Google. UNC4841 was previously associated with the active exploitation of another zero-day in Barracuda devices (CVE-2023-2868, with a CVSS score of 9.8) earlier this year.
The successful exploitation of the recently identified flaw is achieved through a meticulously crafted Microsoft Excel email attachment. Identified as CVE-2023-7102, the issue involves arbitrary code execution embedded within the third-party open-source library Spreadsheet::ParseExcel, utilized by the Amavis scanner within the gateway.
Subsequently, new iterations of familiar implants named SEASPY and SALTWATER are deployed, equipped to provide both persistence and command execution capabilities.
Mandiant, actively investigating the campaign, estimates that organizations in both private and public sectors across a minimum of 16 countries have been impacted since October 2022.
The recent development underscores the adaptability of UNC4841, employing innovative tactics and techniques to maintain access to high-priority targets even as existing vulnerabilities are addressed.
Barracuda announced the release of a security update automatically implemented on December 21, 2023, ensuring that no additional action is needed from customers.
Additionally, the company emphasized that it promptly deployed a patch to address compromised ESG appliances showing indicators of compromise associated with the newly identified malware variants, a day later. However, the scale of the compromise was not disclosed.
Nevertheless, the initial vulnerability in the Spreadsheet::ParseExcel Perl module (version 0.65) remains unaddressed and is assigned the CVE identifier CVE-2023-7101. This highlights the need for downstream users to undertake suitable remedial measures.
It remains to be seen what impact this exploitation and the extent of it will have on the data of Barracuda’s clients spread across many countries.
