Barracuda Networks disclosed a serious cybersecurity incident involving a zero-day vulnerability within its Email Security Gateway (ESG) appliances, allegedly exploited by Chinese threat actors. This vulnerability has been designated as CVE-2023-7102 and has led to the deployment of backdoors on a select number of affected devices.
The vulnerability involves an instance of arbitrary code execution found in a third-party open-source Perl library, Spreadsheet::ParseExcel. This library is utilized by the Amavis scanner integrated within Barracuda’s ESG for malware detection in Microsoft Excel email attachments.
The attacker has been identified as part of a group tracked by Mandiant, a Google subsidiary, under the name UNC4841. This group has a history of exploiting vulnerabilities in Barracuda devices, notably the CVE-2023-2868 vulnerability earlier this year, which had a critical CVSS score of 9.8.
Exploitation of the CVE-2023-7102 vulnerability occurs through specially crafted Excel attachments sent via email. Following initial access, attackers deploy known malware variants, such as SEASPY and SALTWATER, providing them with persistence and command execution functionality.
Austin Larsen, a senior incident response consultant at Mandiant, explained the exploit’s effectiveness: once a target receives an infected Excel attachment, it is scanned by the ESG appliance, allowing the malicious code to execute without any user interaction. This significantly enhances the threat’s impact.
Barracuda reported that a security update addressing the vulnerability was automatically applied on December 21, 2023. The company also swiftly patched compromised ESG appliances showing signs of the newly identified malware variants the following day, though it has not publicly detailed the extent of the compromise.
Despite these responses, the underlying flaw in the Spreadsheet::ParseExcel module (version 0.65) remains unpatched, having been assigned the identifier CVE-2023-7101. This necessitates that users take further remedial actions.
Mandiant’s investigation suggests that organizations in both the public and private sectors across at least 16 countries have been affected since October 2022. Google Cloud also observed exploitation attempts targeting high-tech and IT providers, as well as government entities primarily in the U.S. and regions of Asia-Pacific, beginning no earlier than November 30, 2023.
The activities of UNC4841 illustrate their adaptability and persistent threats, as they employ new techniques to retain footholds in critical systems even as older vulnerabilities are addressed. Larsen noted that Mandiant expects this group may expand its attack surface to include a wider range of devices and exploits in the future.
(This article was updated to include additional statements from Google Cloud and Mandiant regarding ongoing cybersecurity concerns.)
