China-linked hackers continue to target Barracuda Email Security Gateway appliances, with recent attacks involving exploitation of a new zero-day vulnerability.
It came to light in May 2023 that a Barracuda ESG zero-day tracked as CVE-2023-2868 had been exploited since at least October 2022 to deliver malware and steal data from a limited number of organizations that had been using the email security product.
In June, Mandiant attributed the attacks with high confidence to UNC4841, a cyberespionage group believed to be sponsored by the Chinese government.
In these attacks, the hackers exploited CVE-2023-2868 for initial access to the Barracuda devices by sending specially crafted emails to the targeted organizations.
The attackers then delivered custom backdoors named SeaSpy, SaltWater and SeaSide, a rootkit named SandBar, and several trojanized versions of Barracuda LUA modules.
Barracuda rushed to release patches in response to the attacks, but the hackers were relentless and continued targeting devices.
The vendor and the FBI strongly urged organizations to isolate and replace compromised devices.
The company informed the public on Christmas Eve that the same China-linked UNC4841 group has identified a new zero-day vulnerability affecting ESG appliances.
The new flaw, tracked as CVE-2023-7102 and described as an arbitrary code execution vulnerability, impacts 'Spreadsheet::ParseExcel', an open source library used by the Amavis virus scanner present in ESG devices.
The exploit leveraged specially crafted Excel files attached to emails sent to victims.
The company pointed out that there is no patch for the vulnerability in the 'Spreadsheet::ParseExcel' library, to which the CVE identifier CVE-2023-7101 has been assigned.
The company has made available new indicators of compromise for the recently observed malware variants, exploits, and infrastructure.
Mandiant previously said UNC4841 had targeted entities across 16 countries, including government organizations and officials, academics and academic research organizations, and foreign trade offices.
The cybersecurity firm said more than half of the victims were in the Americas and over a quarter were government organizations.
Several of the victims were Asian entities that were of interest to China.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 27 Dec 2023 11:43:04 +0000