Barracuda has revealed that Chinese threat actors exploited a new zero-day vulnerability in its Email Security Gateway (ESG) devices to deploy a backdoor on a “limited number” of devices.
This issue, tracked as CVE-2023-7102, involves arbitrary code execution in Spreadsheet::ParseExcel, a third-party open source library used by the Amavis scanner that resides in the gateway.
The company attributed the activity to threat actors tracked by Google-owned Mandiant UNC4841this vulnerability was previously linked to another zero-day vulnerability (CVE-2023-2868, CVSS score: 9.8) that was actively exploited in Barracuda devices earlier this year.
The new vulnerability was successfully exploited via a specially crafted Microsoft Excel email attachment. New variants of known implants named SEASPY and SALTWATER were subsequently deployed, providing persistence and command execution capabilities.
Barracuda said it released a security update that was “automatically applied” on December 21, 2023, with no further action required by customers.
It further noted that a day later it “deployed a patch to remediate compromised ESG devices that showed signs of compromise associated with the newly identified malware variant.” It did not disclose the size of the compromise.
That said, the original flaw in the Spreadsheet::ParseExcel Perl module (version 0.65) remains unpatched and has been assigned CVE identification code CVE-2023-7101, requiring downstream users to take appropriate remediation measures.
Since October 2022, some private and public sector organizations in at least 16 countries are estimated to have been affected, according to Mandiant, which has been investigating the activity.
The latest developments once again demonstrate UNC4841’s adaptability, leveraging new strategies and techniques to retain access to high-priority targets while existing vulnerabilities are closed.
