China-linked hackers continue to target Barracuda Email Security Gateway (ESG) https://www.barracuda.com appliances, with recent attacks involving exploitation of a new zero-day vulnerability. It was reported in May 2023 that a Barracuda ESG zero-day tracked as CVE-2023-2868 had been exploited since at least October 2022 to deliver malware and steal data from a limited number of organizations that had been using the email security product. In June 2023, researchers attributed the attacks with high confidence to UNC4841, a cyberespionage group believed to be sponsored by the Chinese government.[1]
In these attacks, the hackers exploited CVE-2023-2868 for initial access to the Barracuda devices by sending specially crafted emails to the targeted organizations. The attackers then delivered custom backdoors named SeaSpy, SaltWater and SeaSide, a rootkit named SandBar, and several trojanized versions of Barracuda LUA modules. Barracuda released patches in response to the attacks, but the hackers were relentless and continued targeting devices. The vendor and the FBI strongly urged organizations to isolate and replace compromised devices.
Barracuda has now issued a new warning. The company informed the public on Christmas Eve that the same China-linked UNC4841 group has identified a new zero-day vulnerability affecting ESG appliances. The new flaw, tracked as CVE-2023-7102 and described as an arbitrary code execution vulnerability, impacts ‘Spreadsheet::ParseExcel’, an open source library used by the Amavis virus scanner present in ESG devices.
The hackers exploited the zero-day to deliver new variants of the SeaSpy and SaltWater malware to “a limited number” of devices. The exploit leveraged specially crafted Excel files attached to emails sent to victims. “On 22 December 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” a Barracuda spokesman said in a blog post. “No action is required by customers at this time, and our investigation is ongoing.”
The company pointed out that there is no patch for the vulnerability in the ‘Spreadsheet::ParseExcel’ library, to which the CVE identifier CVE-2023-7101 has been assigned. For organizations utilizing Spreadsheet::ParseExcel in their own products or services, the company recommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures. The company has made available new indicators of compromise (IoCs) for the recently observed malware variants, exploits, and infrastructure.
Investigators previously reported UNC4841 had targeted entities across 16 countries, including government organizations and officials, academics and academic research organizations, and foreign trade offices. The cybersecurity researcher said more than half of the victims were in the Americas and over a quarter were government organizations. Several of the victims were Asian entities that were of interest to China.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/chinese-hackers-deliver-malware-to-barracuda-email-security-appliances-via-new-zero-day/
Comments