Barracuda ESG Attack: Chinese Hackers Exploit Zero Day to Launch Data-Stealing Malware

The hackers had been exploiting Barracuda ESG zero-day since at least October 2022.

Barracuda ESG, a widely used email security product, faces a renewed threat as the China-linked UNC4841 cyberespionage group exploits a new zero-day vulnerability.

For years, Chinese hackers have been a threat to numerous industries including healthcare, smart home, gaming, and more.

Barracuda ESG Cyberattack

Microsoft Spy AI Chatbot
Mika Baumeister from Unsplash

As reported by Security Week on Dec. 27, the saga began in May 2023 when a zero-day vulnerability, CVE-2023-2868, was discovered in Barracuda ESG. This led to malware delivery and data theft.

UNC4841, a cyberespionage group allegedly sponsored by the Chinese government, was identified as the culprit with high confidence by Mandiant in June.

Despite Barracuda's prompt patch releases, UNC4841 persisted in exploiting devices, delivering custom backdoors such as SeaSpy, SaltWater, and SeaSide, along with a rootkit named SandBar.

Trojanized versions of Barracuda LUA modules further exacerbated the threat. Even then, the state-sponsored cybercriminals continued to bombard it with more malware attached to files.

CVE-2023-7102 Serves as New Warning

Barracuda issued a Christmas Eve warning, revealing a fresh zero-day vulnerability, CVE-2023-7102. This arbitrary code execution flaw affects "Spreadsheet::ParseExcel," an open-source library utilized by the Amavis virus scanner in ESG devices. The exploit enabled the delivery of new SeaSpy and SaltWater malware variants to a limited number of devices.

How Malware Exploits Zero-Day

UNC4841 leveraged the zero-day by sending targeted organizations specially crafted Excel files attached to emails. The lack of a patch for the 'Spreadsheet::ParseExcel' library (CVE-2023-7101) adds complexity to the remediation process.

"On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants. No action is required by customers at this time, and our investigation is ongoing," Barracuda wrote in a blog post. "

Since hackers have no rest day or holiday in their illegal activities, Barracuda urged organizations using "Spreadsheet::ParseExcel" to review CVE-2023-7101 and promptly implement necessary remediation measures. Additionally, the company has released new IoCs related to the observed malware variants, exploits, and infrastructure.

Impact of Zero-Day Exploit Globally

Previous activities by UNC4841 targeted entities across 16 countries, focusing on government organizations, officials, academics, academic research organizations, and foreign trade offices.

More than half of the victims were in the Americas, with over a quarter being government organizations. The cybersecurity firm Mandiant highlighted specific interest in Asian entities by China.

This year, Chinese hackers used different strategies to orchestrate various attacks on multiple companies including Microsoft.

In our Aug. 25 report, we reported that the "Flax Typhoon" group which is said to be a group of Chinese hackers was seen to be targeting Taiwan's government and its organizations.

This month, another Chinese hacking gang known as "Volt Typhoon" allegedly attacked the US water, communication, and power systems.

The US officials believed that the cyberattack had something to do with the tension between China and Washington over Taiwan.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics