Barracuda patches ESG vulnerability actively exploited by hackers
Take action: Good news and bad news: The Barracuda ESG is hacked once more, but this time the vendor auto-patched it. It's very wise to check for indicators of compromise since your Barracuda ESG may have been hacked before the patch. For the general audience, start checking on other components that use the Spreadsheet::ParseExcel library because it's still vulnerable.
Learn More
Barracuda announced another severe security breach in its Email Security Gateway (ESG) appliances, which has been under active attack by a Chinese government-backed hacking group. The issue, tracked as CVE-2023-7102 (CVSS3 score 9.8), arises from a defect in the open-source library Spreadsheet::ParseExcel, utilized by the ESG's antivirus component. This vulnerability enables hackers to run arbitrary code on the affected devices by sending a malicious Excel file via email.
Spreadsheet::ParseExcel is a Perl module designed for parsing and extracting data from Excel files in the older binary formats (.xls), specifically those created in Excel 95, 97, 2000, XP, and 2003.
The attacks are linked to the Chinese APT Group UNC4841, as identified by Barracuda in collaboration with Mandiant investigators. Following the exploitation of this flaw, the attackers deployed new malware variants, SEASPY and SALTWATER, to maintain long-term access and extract data from the infiltrated ESG devices. These malware variants were also used in the previous wave of exploits of Barracuda ESG from May to August.
Barracuda has introduced patches for the vulnerable ESG devices and is addressing the vulnerability in Spreadsheet::ParseExcel within their ecosystem. Barracuda deployed a security update to all active ESGs and the security update has been automatically applied, requiring no action by the user.
In addition, Barracuda has released indicators of compromise (IOCs) connected to this attack campaign. Security teams are encouraged to review these IOCs in their systems and initiate a full incident management if compromised hosts or malware are detected. Given the espionage intentions and ongoing activities of this threat actor, heightened alertness is recommended.
It must be noted that the primary issue in the open-source library is yet to be resolved and there are available Proof Of Concept exploits. Organizations employing this library are urged to evaluate their risk and take immediate steps to mitigate it.
