Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices.
Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware.
The company attributed the activity to a threat actor tracked by Google-owned Mandiant as UNC4841, which was previously linked to the active exploitation of another zero-day in Barracuda devices (CVE-2023-2868, CVSS score: 9.8) earlier this year.
Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment. This is followed by the deployment of new variants of known implants called SEASPY and SALTWATER that are equipped to offer persistence and command execution capabilities.
“Once a target receives an email with the malicious Excel attachment from UNC4841, the email is scanned by the Barracuda ESG appliance, thereby executing the malicious code contained in the Excel file,” Austin Larsen, Mandiant senior incident response consultant, said in a statement shared with The Hacker News. “This requires no interaction from an end-user, making it highly impactful and effective.”
Barracuda said it released a security update that has been "automatically applied" on December 21, 2023, and that no further customer action is required.
It further pointed out that it "deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants" a day later. It did not disclose the scale of the compromise.
That said, the original flaw in the Spreadsheet::ParseExcel Perl module (version 0.65) remains unpatched and has been assigned the CVE identifier CVE-2023-7101, necessitating that downstream users take appropriate remedial action.
According to Mandiant, which has been investigating the campaign, a number of private and public sector organizations located in at least 16 countries are estimated to have been impacted since October 2022.
Google Cloud said it observed the exploitation of CVE-2023-7102 targeting high-tech, information technology providers, and government entities, chiefly located in the U.S. and Asia-Pacific regions, no earlier than November 30, 2023.
The latest development once again speaks to UNC4841's adaptability, leveraging new tactics and techniques to retain access to high priority targets as existing loopholes get closed.
“This latest campaign further demonstrates this actor’s persistence from the last UNC4841 campaign,” Larsen said. “Mandiant anticipates this threat actor may broaden their targeted attack surface to other appliances with a greater variety of exploits in the future.”
(The story was updated after publication to include additional commentary from Google Cloud and Mandiant on the campaign.)