Alert: Chinese Threat Actors Exploit Barracuda Zero-Day Flaw

In recent developments, Barracuda, a prominent network and email cybersecurity firm, has been grappling with a zero-day vulnerability. The vulnerability has been identified as CVE-2023-7102 in its Email Security Gateway (ESG) appliances. The situation has been exacerbated by the active exploitation of this flaw by a Chinese hacker group known as UNC4841 Chinese. In this blog, we’ll look into the Barracuda zero-day flaw, exploring its intricacies and the consequential impact on cybersecurity.

The Barracuda Zero-Day Flaw

The root cause of the Barracuda ESG appliances vulnerability lies in a weakness within the Spreadsheet::ParseExcel third-party library, integral to the Amavis virus scanner running on Barracuda ESG appliances. The flaw enables threat actors to execute arbitrary code on vulnerable ESG devices through parameter injection.

Barracuda Zero-Day Flaw Exploited By Chinese Hackers

UNC4841 leveraged this Arbitrary Code Execution (ACE) vulnerability to deploy a meticulously crafted Excel email attachment, exploiting the Spreadsheet::ParseExcel library. As a result, a limited number of ESG devices fell prey to the attack, giving rise to cybersecurity threats in ESG appliances. 

Barracuda responded swiftly by deploying a patch on December 22, 2023, to remediate compromised ESG appliances, which exhibited indicators of compromise linked to new variants of SEASPY and SALTWATER malware.

In the ongoing investigation of the Barracuda zero-day flaw, the organization assured customers that no immediate action is required. They also emphasized their commitment to resolving the issue and ensuring the security of ESG appliances.

CVE-2023-7101: A Wider Concern

Notably, Barracuda has filed CVE-2023-7101 for a vulnerability in the open-source library, impacting various products across multiple organizations. As of now, this concern remains unaddressed, adding an extra layer of urgency to the cybersecurity landscape.

A Recap of May’s Security Warning

These zero-day exploits in network security devices aren’t the first time Barracuda has faced cybersecurity challenges. In May, the company issued a warning to customers about breaches in some of its Email Security Gateway appliances. According to the Barracuda security breach news, UNC4841, the same Chinese group exploited a zero-day vulnerability (CVE-2023-2868) in the email attachment screening module. The company promptly addressed the issue with security patches but later discovered that the vulnerability had been exploited since October 2022.

The Malware Arsenal

The threat actors deployed two potent malware families: SALTWATER and SEASPY. SALTWATER, a malware-laced module for the Barracuda SMTP daemon, boasted various capabilities, including file manipulation, command execution, and proxying malicious traffic. On the other hand, SEASPY presented itself as a persistent backdoor masquerading as a legitimate Barracuda Networks service, actively monitoring SMTP traffic on port 25.

Urgent Remediation Measures

Barracuda, supported by Mandiant, urged customers in early June to replace affected ESG appliances promptly, irrespective of the patch version level. The company emphasized a full replacement as the remediation recommendation in ESG appliance security updates.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog on May 28. Subsequently, CISA shared technical details about Submarine and Whirlpool malware families associated with the attacks exploiting the aforementioned flaw.

UNC4841: The Culprit

Mandiant researchers linked the UNC4841 group to the Chinese cyber attacks on Barracuda, which commenced as early as October 10, 2022. The threat actors utilized spear-phishing emails containing weaponized attachments to exploit the CVE-2023-2868 vulnerability, gaining access to vulnerable Barracuda ESG appliances.

Ongoing Threat Landscape

Once inside the compromised ESG devices, UNC4841 was observed pilfering specific data and, in some instances, using the compromised appliances for lateral movement within the network. The threat actors also deployed additional tools to maintain a persistent presence on ESG appliances. Cybersecurity best practices for Barracuda devices are crucial to ensure the robust protection of your digital assets and sensitive information, as it is integral to maintaining a secure and resilient network infrastructure.

Conclusion

In conclusion, the recent incidents highlight the evolving and persistent threats in the cybersecurity landscape. Barracuda remains dedicated to addressing these network security vulnerabilities 2024 promptly, deploying patches, and collaborating with industry experts to investigate and mitigate risks. The ongoing commitment to customer safety and the proactive approach to cybersecurity challenges reinforce Barracuda’s position as a reliable partner in safeguarding digital environments. 

As organizations navigate the complexities of cybersecurity, staying informed and protecting ESG appliances from cyber threats is paramount. In addition, adopting best practices and leveraging the expertise of cybersecurity partners become crucial elements in maintaining a robust defense against evolving threats.

The sources for this piece include articles in The Hacker News and Security Affairs. 

Summary

Article Name

Alert: Chinese Threat Actors Exploit Barracuda Zero-Day Flaw

Description

Explore the Barracuda zero-day flaw exploited by Chinese hackers. Gain insights into the latest cybersecurity breach to secure your systems.

Author

Wajahat Raja

Publisher Name

TuxCare

Publisher Logo