Barracuda has revealed that Chinese language risk actors exploited a brand new zero-day in its Electronic mail Safety Gateway (ESG) home equipment to deploy backdoors on a “restricted quantity” of units.
Tracked as CVE-2023-7102, the problem pertains to a case of arbitrary code execution that resides inside a third-party and open-source library named Spreadsheet::ParseExcel that is utilized by the Amavis scanner throughout the gateway to display screen Microsoft Excel e mail attachments for malware.
The corporate attributed the exercise to a risk actor tracked by Google-owned Mandiant as UNC4841, which was beforehand linked to the lively exploitation of one other zero-day in Barracuda units (CVE-2023-2868, CVSS rating: 9.8) earlier this yr.
Profitable exploitation of the brand new flaw is achieved by the use of a specifically crafted Microsoft Excel e mail attachment. That is adopted by the deployment of recent variants of identified implants known as SEASPY and SALTWATER which are outfitted to supply persistence and command execution capabilities.
“As soon as a goal receives an e mail with the malicious Excel attachment from UNC4841, the e-mail is scanned by the Barracuda ESG equipment, thereby executing the malicious code contained within the Excel file,” Austin Larsen, Mandiant senior incident response marketing consultant, mentioned in a press release shared with The Hacker Information. “This requires no interplay from an end-user, making it extremely impactful and efficient.”
Barracuda mentioned it launched a safety replace that has been “mechanically utilized” on December 21, 2023, and that no additional buyer motion is required.
It additional identified that it “deployed a patch to remediate compromised ESG home equipment which exhibited indicators of compromise associated to the newly recognized malware variants” a day later. It didn’t disclose the dimensions of the compromise.
That mentioned, the unique flaw within the Spreadsheet::ParseExcel Perl module (model 0.65) stays unpatched and has been assigned the CVE identifier CVE-2023-7101, necessitating that downstream customers take acceptable remedial motion.
In response to Mandiant, which has been investigating the marketing campaign, plenty of personal and public sector organizations positioned in at the very least 16 international locations are estimated to have been impacted since October 2022.
Google Cloud mentioned it noticed the exploitation of CVE-2023-7102 concentrating on high-tech, data know-how suppliers, and authorities entities, mainly positioned within the U.S. and Asia-Pacific areas, no sooner than November 30, 2023.
The most recent improvement as soon as once more speaks to UNC4841’s adaptability, leveraging new ways and methods to retain entry to excessive precedence targets as current loopholes get closed.
“This newest marketing campaign additional demonstrates this actor’s persistence from the final UNC4841 marketing campaign,” Larsen mentioned. “Mandiant anticipates this risk actor might broaden their focused assault floor to different home equipment with a higher number of exploits sooner or later.”
(The story was up to date after publication to incorporate further commentary from Google Cloud and Mandiant on the marketing campaign.)
