Barracuda fixed a new ESG zero-day exploited by Chinese group UNC4841

Security firm Barracuda addressed a new zero-day, affecting its Email Security Gateway (ESG) appliances, that is actively exploited by the China-linked UNC4841 group.

On December 21, network and email cybersecurity firm Barracuda started releasing security updates to address a zero-day, tracked as CVE-2023-7102, in Email Security Gateway (ESG) appliances. The vulnerability has been actively exploited by the Chinese hacker group UNC4841 Chinese.

On December 21, the vendor also released security updates to fix the issue on already compromised ESG appliances where the threat actors installed SeaSpy and Saltwater malware.

“In our ongoing investigation, Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE) vulnerability within a third party library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email attachment to target a limited number of ESG devices.”reads the advisory.“Spreadsheet::ParseExcel is an open source library used by the Amavis virus scanner within the ESG appliance.”

The root cause of the problem is a weakness in the Spreadsheet::ParseExcel third-party library. This library is used by the Amavis virus scanner that runs on Barracuda ESG appliances.

An attacker can trigger the vulnerability to execute arbitrary code on vulnerable ESG appliances through parameter injection.

“Following UNC4841’s exploitation of the ACE vulnerability (CVE-2023-7102), Barracuda has observed new variants of SEASPY and SALTWATER malware deployed to a limited number of ESG devices. On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants.” continues the advisory. “No action is required by customers at this time, and our investigation is ongoing.”

Barracuda has also filed CVE-2023-7101 for a vulnerability in the open-source library which is used in several products of multiple organizations. At the time of this writing the issue has yet to be addressed.

At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were breached by the same Chinese group exploiting a now-patched zero-day vulnerability.

The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.

Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.

The company confirmed that the CVE-2023-2868 was first exploited in October 2022.

The families of malware employed in the attacks are:

  • SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
  • SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
  • SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.

In early June the company urged customers to immediately replace the ESG appliances, regardless of patch version level.

“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now ([email protected]).” urges the company. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

On May 28, US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.

CISA has since shared technical details about Submarine and Whirlpool malware families that were employed in attacks exploiting the above flaw.

Mandiant researchers linked the threat actor UNC4841 to the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.

According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances.

Once compromised the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Barracuda ESG)