December 27, 2023 at 08:24AM
Chinese threat actors exploited a new zero-day in Barracuda’s Email Security Gateway appliances, deploying backdoors on a limited number of devices. The issue, tracked as CVE-2023-7102, allowed arbitrary code execution via a third-party library. Barracuda released a security update and remediated compromised appliances. This highlights the adaptability of the threat actor UNC4841.
After reviewing the meeting notes, it’s clear that Barracuda disclosed a significant security issue related to its Email Security Gateway appliances, with threat actors exploiting a new zero-day vulnerability tracked as CVE-2023-7102. The exploit led to the deployment of a backdoor on a limited number of devices by a threat actor identified as UNC4841.
The vulnerability was attributed to arbitrary code execution within a third-party Spreadsheet::ParseExcel library used by the Amavis scanner in the gateway. Exploitation of the flaw involved a specially crafted Microsoft Excel email attachment, followed by the deployment of new variants of known implants SEASPY and SALTWATER, which provided persistence and command execution capabilities.
Barracuda released a security update that was automatically applied on December 21, 2023, and subsequent patches were deployed to remediate compromised ESG appliances exhibiting indicators of compromise related to the newly identified malware variants.
While Barracuda acted to address the issue, the original unpatched flaw in the Spreadsheet::ParseExcel Perl module (version 0.65) has been assigned the CVE identifier CVE-2023-7101, requiring downstream users to take appropriate remedial action.
Mandiant’s investigation revealed that private and public sector organizations in at least 16 countries have been impacted since October 2022, underscoring the adaptability of UNC4841 in leveraging new tactics and techniques to retain access to high-priority targets.
This information provides a comprehensive overview of the security incident and its implications, emphasizing the urgency for affected organizations to take necessary remedial measures.