Barracuda Patches ESG Zero-Day Exploited by Chinese Hackers

December 27, 2023

Barracuda, a firm specializing in network and email security, has announced that it patched a zero-day vulnerability in all active Email Security Gateway (ESG) appliances on December 21. The vulnerability was being exploited by the Chinese hacker group UNC4841. The company also rolled out a second wave of security updates on December 22 to already compromised ESG appliances where the attackers had deployed SeaSpy and Saltwater malware.

The zero-day vulnerability, tracked as CVE-2023-7102, was disclosed on Christmas Eve. It is linked to a weakness in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner running on Barracuda ESG appliances. This flaw allows attackers to execute arbitrary code on unpatched ESG appliances through parameter injection.

Barracuda also filed the CVE-2023-7101 CVE ID to track the bug separately in the open-source library, which is still awaiting a patch. In a statement issued on December 24, Barracuda advised, "No action is required by customers at this time, and our investigation is ongoing." The company, working with Mandiant, attributed the activity to the continued operations of the China nexus actor tracked as UNC4841.

In May, the same hacker group exploited another zero-day (CVE-2023-2868) to target Barracuda ESG appliances as part of a cyber-espionage campaign. Barracuda disclosed that the zero-day had been used in attacks for at least seven months, since at least October 2022, to deploy previously unknown malware and exfiltrate data from compromised systems. The hackers deployed SeaSpy and Saltwater malware, as well as the SeaSide malicious tool, to gain remote access to hacked systems via reverse shells.

The same attackers also used Submarine (aka DepthCharge) and Whirlpool malware in the same attacks as later-stage payloads to maintain persistence on a small number of previously compromised devices on networks of high-value targets. The primary motivation behind these attacks was espionage, with UNC4841 hackers specifically targeting data exfiltration from breached networks to high-profile government and high-tech users.

According to cybersecurity firm Mandiant, nearly one-third of the appliances hacked in the May campaign belonged to government agencies, most of them between October and December 2022. Following the May attacks, Barracuda advised its customers to replace all compromised appliances immediately, even those that had already been patched (around 5% of all appliances were breached in the attacks). Barracuda's products are used by more than 200,000 organizations globally, including leading companies such as Samsung, Kraft Heinz, Mitsubishi, and Delta Airlines.

Related News

• Barracuda Zero-Day Attacks Target US Government Email Servers
• FBI Declares Barracuda ESG Zero-Day Patches Ineffective
• CISA Uncovers 'Whirlpool' Backdoor in Barracuda ESG Attacks
• CISA Investigates Malware Deployed in Barracuda ESG Attacks
• CISA Discovers New Submarine Malware in Hacked Barracuda ESG Appliances

Latest News

• Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver
• Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents
• UAC-0099 Exploits WinRAR Vulnerability to Launch LONEPAGE Malware Attacks on Ukrainian Firms
• Microsoft Alerts on 'FalseFont' Backdoor Aimed at Defense Sector
• BattleRoyal Hackers Employ Multiple Tactics to Deploy DarkGate RAT