Flash Notice: Barracuda's ESG Appliances Hacked by Chinese Threat Actors

overview

A zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances has been exploited by Chinese threat actors. Tracked as CVE-2023-7102, the vulnerability leads to the installation of backdoors on devices.  

The zero-day flaw revolves around arbitrary code execution within a third-party and open-source library named “Spreadsheet::ParseExcel.” This library is used by the Amavis scanner within the gateway to analyze Microsoft Excel email attachments for potential malware. 

The threat actor behind the exploitation, UNC4841, was previously associated with the exploitation of another Barracuda zero-day (CVE-2023-2868) earlier in the year. The threat actor executed the new flaw by using a specially crafted Microsoft Excel email attachment. Later, new iterations of known implants named SEASPY and SALTWATER were deployed, providing persistence and command execution capabilities. 

Austin Larsen from Mandiant highlighted the effortless execution of the attack. When a target receives an email containing the malicious Excel attachment from UNC4841, the Barracuda ESG appliance scans the email, triggering the execution of the malicious code within the Excel file – a process that does not require action from the end-user. 

Barracuda applied a security update on December 21, 2023, with no further action required from customers. Additionally, another patch was deployed on December 22 to address compromised ESG appliances exposing indicators of compromise related to the newly identified malware variants. Barracuda did not disclose the extent of the compromise but the company did stress the need for downstream users to address the original flaw in the “Spreadsheet::ParseExcel Perl” module (version 0.65), assigned the CVE number CVE-2023-7101. 

avertium's recommendationS

• Barracuda recommends that organizations utilizing “Spreadsheet::ParseExcel” in their own products or services, review CVE-2023-7101 and promptly take the necessary remediation measures. 

INDICATORS OF COMPROMISE (IoCs)

IP Addresses  

• 23.224.99[.]242 
• 23.224.99[.]243 
• 23.224.99[.]244 
• 23.224.99[.]245 
• 23.224.99[.]246 
• 23.225.35[.]234 
• 23.225.35[.]235 
• 23.225.35[.]236 
• 23.225.35[.]237 
• 23.225.35[.]238 
• 107.148.41[.]146 

MD5 Hashes 

• 2b172fe3329260611a9022e71acdebca 
• e7842edc7868c8c5cf0480dd98bcfe76 
• 7b83e4bd880bb9d7904e8f553c2736e3 
• d493aab1319f10c633f6d223da232a27 

SHA256 

• 803cb5a7de1fe0067a9eeb220dfc24ca 56f3f571a986180e146b6cf387855bd 
• 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd 
• 118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7 
• 34494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8ba 

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
• We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION