Chinese Hackers Exploit New Zero-Day in Barracuda’s ESG


Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.

Additionally, the vulnerability targeted only a limited number of ESG devices. 

However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.

The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.

Chinese Hackers Exploit New Zero-Day

This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.

This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.

The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.

However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.

Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.

Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.

Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.

Indicators of Compromise

Malware MD5 Hash SHA256 File Name(s) File Type
CVE-2023-7102 XLS Document 2b172fe3329260611a9022e71acdebca 803cb5a7de1fe0067a9eeb220dfc24ca56f3f571a986180e146b6cf387855bdd ads2.xls xls
CVE-2023-7102 XLS Document e7842edc7868c8c5cf0480dd98bcfe76 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd don.xls xls
CVE-2023-7102 XLS Document e7842edc7868c8c5cf0480dd98bcfe76 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd personalbudget.xls xls
SEASPY 7b83e4bd880bb9d7904e8f553c2736e3 118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7 wifi-service x-executable
SALTWATER d493aab1319f10c633f6d223da232a27 34494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8ba mod_tll.so x-sharedlib

Network IOCs

IP Address ASN Location
23.224.99.242 40065 US
23.224.99.243 40065 US
23.224.99.244 40065 US
23.224.99.245 40065 US
23.224.99.246 40065 US
23.225.35.234 40065 US
23.225.35.235 40065 US
23.225.35.236 40065 US
23.225.35.237 40065 US
23.225.35.238 40065 US
107.148.41.146 398823 US



Source link