Another Barracuda ESG zero-day flaw exploited in the wild

For the second time this year, a China-nexus threat actor is attacking Barracuda Networks' Email Security Gateway appliances, but this time Barracuda said the fix requires no customer action.

In May, Barracuda disclosed a critical zero-day vulnerability in its ESG appliance that was under attack by a suspected nation-state actor connected to the People's Republic of China. While Barracuda fixed the flaw, the vendor later discovered the patch was insufficient and instructed users to replace compromised devices entirely.

Attacks on ESG devices persisted well into August when an FBI flash alert warned that the China-nexus threat actor continued to exploit the remote command injection flaw, tracked as CVE-2023-2868. Barracuda initiated an ongoing investigation with Mandiant, which tracks the threat actor as UNC4841.

In an ESG vulnerability security advisory on Dec. 24, Barracuda revealed that UNC4841 discovered a new way to attack ESG appliances. The threat actor exploited an arbitrary code execution (ACE) zero-day vulnerability, tracked as CVE-2023-7102, in a third-party open source software library to send malicious Excel email attachments. Barracuda said a "limited number of ESG devices" were targeted so far.

Unlike the previous ESG vulnerability UNC4841 exploited, which required users to apply a patch, CVE-2023-7102 was fixed remotely.

"On December 21, 2023, Barracuda deployed a security update to all active ESGs to address the ACE vulnerability in Spreadsheet::ParseExcel. The security update has been automatically applied, requiring no action by the customer," Barracuda wrote in the security advisory.

However, Barracuda warned of new threat activity it observed from UNC4841. After exploiting CVE-2023-7102, the threat actor deployed new variants of Seaspy and Saltwater malware, which were used to create backdoors in previous ESG attacks by the Chinese hackers. Mandiant previously disclosed that UNC4841 deployed backdoors and other techniques because the threat actor anticipated Barracuda's remediation efforts for CVE-2023-2868.

Barracuda addressed the new malware variants with "a patch to remediate compromised ESG appliances" on Dec. 22. The vendor published indicators of compromise for the latest ESG zero-day attacks as well as Seaspy and Saltwater malware in its advisory.

To increase public awareness of the open source software vulnerability that could allow attackers to parse Excel files, Barracuda also disclosed a second flaw, CVE-2023-7101. The only affected version of Spreadsheet::ParseExcel is 0.65. While Barracuda confirmed that CVE-2023-7102 was exploited in the wild, activity surrounding CVE-2023-7101 remains unknown.

"At the time of this update, there is no known patch or update available to remediate CVE-2023-7101 within the open source library. For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures," the advisory said.

Barracuda emphasized that no customer action is required and that an investigation remains ongoing.

Update: Mandiant told TechTarget Editorial that it first observed UNC4841 exploiting the zero-day flaw on Dec. 20 in "a limited number of Barracuda ESG appliances," with attacks focusing on targeting high-tech organizations, IT providers and government agencies in the U.S. and Asia-Pacific region.

"According to current evidence, Mandiant believes this campaign was initiated on or about November 30, 2023, as part of UNC4841's ongoing espionage operations, deploying new variants of the SEASPY and SALTWATER backdoor malware on impacted devices," said Austin Larsen, Mandiant senior incident response consultant at Google Cloud, in a statement. "On December 21 and 22, 2023, Barracuda responded promptly by deploying updates to remediate the vulnerability and the ESG appliances that may have been compromised by the newly identified malware variants. While the ESG updates do not require any customer action, Mandiant still recommends Barracuda's customers read through the advisory and follow their recommended guidance."

Larsen explained that the Perl module Spreadsheet::ParseExcel is used by ESG appliances to scan Excel email attachments for malware. "Once a target receives an email with the malicious Excel attachment from UNC4841, the email is scanned by the Barracuda ESG appliance, thereby executing the malicious code contained in the Excel file. This requires no interaction from an end user, making it highly impactful and effective," Larsen said. "This latest campaign further demonstrates this actor's persistence from the last UNC4841 campaign. Mandiant anticipates this threat actor may broaden their targeted attack surface to other appliances with a greater variety of exploits in the future."

Barracuda did not respond to TechTarget Editorial's request for comment at press time.

Updated on 12/28/2023.

Arielle Waldman is a Boston-based reporter covering enterprise security news.