Barracuda Patches ESG Zero-Day Exploited by Chinese Hackers

December 27, 2023

Barracuda, a firm specializing in network and email security, has announced that it patched a zero-day vulnerability in all active Email Security Gateway (ESG) appliances on December 21. The vulnerability was being exploited by the Chinese hacker group UNC4841. The company also rolled out a second wave of security updates on December 22 to already compromised ESG appliances where the attackers had deployed SeaSpy and Saltwater malware.

The zero-day vulnerability, tracked as CVE-2023-7102, was disclosed on Christmas Eve. It is linked to a weakness in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner running on Barracuda ESG appliances. This flaw allows attackers to execute arbitrary code on unpatched ESG appliances through parameter injection.

Barracuda also filed the CVE-2023-7101 CVE ID to track the bug separately in the open-source library, which is still awaiting a patch. In a statement issued on December 24, Barracuda advised, "No action is required by customers at this time, and our investigation is ongoing." The company, working with Mandiant, attributed the activity to the continued operations of the China nexus actor tracked as UNC4841.

In May, the same hacker group exploited another zero-day (CVE-2023-2868) to target Barracuda ESG appliances as part of a cyber-espionage campaign. Barracuda disclosed that the zero-day had been used in attacks for at least seven months, since at least October 2022, to deploy previously unknown malware and exfiltrate data from compromised systems. The hackers deployed SeaSpy and Saltwater malware, as well as the SeaSide malicious tool, to gain remote access to hacked systems via reverse shells.

The same attackers also used Submarine (aka DepthCharge) and Whirlpool malware in the same attacks as later-stage payloads to maintain persistence on a small number of previously compromised devices on networks of high-value targets. The primary motivation behind these attacks was espionage, with UNC4841 hackers specifically targeting data exfiltration from breached networks to high-profile government and high-tech users.

According to cybersecurity firm Mandiant, nearly one-third of the appliances hacked in the May campaign belonged to government agencies, most of them between October and December 2022. Following the May attacks, Barracuda advised its customers to replace all compromised appliances immediately, even those that had already been patched (around 5% of all appliances were breached in the attacks). Barracuda's products are used by more than 200,000 organizations globally, including leading companies such as Samsung, Kraft Heinz, Mitsubishi, and Delta Airlines.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.