Follow Us on WhatsApp | Telegram | Google News

Barracuda Patches Actively Exploited Flaw Used by Chinese APT

Table of Contents

Barracuda ESG Vulnerability

Barracuda has disclosed a critical vulnerability in its Email Security Gateway (ESG) appliances that has been actively exploited by a Chinese state-sponsored hacking group to compromise devices.

The vulnerability tracked as CVE-2023-7102, is due to a flaw in Spreadsheet::ParseExcel, an open-source library used by the ESG's antivirus engine. The flaw allows attackers to execute arbitrary code on affected devices by sending a maliciously crafted Excel file as an email attachment.

About Spreadsheet::ParseExcel
Spreadsheet::ParseExcel is a Perl module designed for parsing and extracting data from Excel files in the older binary formats (.xls), specifically those created in Excel 95, 97, 2000, XP, and 2003.

Key features:

  • Reading data: It can access and retrieve various elements from Excel files, including:
  • Cell values (text, numbers, dates, times, formulas)
  • Formatting information (fonts, colors, borders, alignment)
  • Worksheet names
  • Workbook properties
  • Decryption: It has limited support for decrypting password-protected files using the default Excel encryption scheme.
  • Not for XLSX: It's important to note that this module cannot read the newer Open XML format (.xlsx) used in Excel 2007 and later.

Once exploited, the hackers have deployed new variants of malware called SEASPY and SALTWATER to establish persistent access and exfiltrate data from compromised ESG appliances.

Attacks Attributed to Chinese APT UNC4841

Working with investigators at Mandiant, Barracuda has attributed these attacks to a Chinese advanced persistent threat (APT) group known as UNC4841. This threat actor has previously targeted managed service providers, telecommunications firms, and other organizations to enable espionage and intellectual property theft.

Barracuda has released patches to remediate compromised ESG devices and address the Spreadsheet::ParseExcel vulnerability. However, the underlying flaw in the open-source library still needs to be matched.

Organizations using Spreadsheet::ParseExcel in other products are strongly advised to assess their exposure and take risk mitigation steps immediately. Barracuda has filed CVE-2023-7101 for the library vulnerability.

Indicators of Compromise Released

Barracuda has published indicators of compromise associated with this campaign to aid detection and response efforts, including file hashes, network addresses, and other forensic artifacts.

Security teams are advised to review these IOCs against their environments and take appropriate action if compromised hosts or malware are discovered. Extra vigilance is warranted given the cyber espionage motives and ongoing activity associated with this threat actor.

Barracuda states that its investigation into these incidents is ongoing. Further details will be shared as they become available. Customers do not need to take any action at this time as patches have been deployed automatically.

Read Also
Post a Comment