Barracuda has revealed that Chinese language risk actors exploited a brand new zero-day in its Electronic mail Safety Gateway (ESG) home equipment to deploy backdoor on a “restricted quantity” of units.
Tracked as CVE-2023-7102, the difficulty pertains to a case of arbitrary code execution that resides inside a third-party and open-source library Spreadsheet::ParseExcel that is utilized by the Amavis scanner inside the gateway.
The corporate attributed the exercise to a risk actor tracked by Google-owned Mandiant as UNC4841, which was beforehand linked to the energetic exploitation of one other zero-day in Barracuda units (CVE-2023-2868, CVSS rating: 9.8) earlier this 12 months.
Profitable exploitation of the brand new flaw is achieved via a specifically crafted Microsoft Excel e mail attachment. That is adopted by the deployment of latest variants of identified implants referred to as SEASPY and SALTWATER which are geared up to supply persistence and command execution capabilities.
Barracuda stated it launched a safety replace that has been “routinely utilized” on December 21, 2023, and that no additional buyer motion is required.
It additional identified that it “deployed a patch to remediate compromised ESG home equipment which exhibited indicators of compromise associated to the newly recognized malware variants” a day later. It didn’t disclose the dimensions of the compromise.
That stated, the unique flaw within the Spreadsheet::ParseExcel Perl module (model 0.65) stays unpatched and has been assigned the CVE identifier CVE-2023-7101, necessitating that downstream customers take acceptable remedial motion.
In keeping with Mandiant, which has been investigating the marketing campaign, quite a few personal and public sector organizations situated in at the very least 16 nations are estimated to have been impacted since October 2022.
The most recent growth as soon as once more speaks to UNC4841’s adaptability, leveraging new ways and methods to retain entry to excessive precedence targets as current loopholes get closed.
