Chinese hackers exploiting new Barracuda ESG zero-day to deploy malware

Chinese hackers exploiting new Barracuda ESG zero-day to deploy malware

China-linked state-sponsored hackers are exploiting a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances to deploy new variants of Seaspy and Saltwater malware, email and network security solutions provider has warned.

Tracked as CVE-2023-7102, the issue is related to improper input validation (CVE-2023-7101) within the third-party Perl library called ‘Spreadsheet::ParseExcel’ used to parse Excel files. A remote attacker can send a specially crafted email with a malicious file inside and execute arbitrary code on the device. The flaw impacts ESG versions 5.1.3 - 9.2.1.001.

Spreadsheet::ParseExcel is an open source library used by the Amavis virus scanner within the ESG appliance.

On December 21, 2023, Barracuda deployed a security update to all active ESGs to fix the bug, however, the maintainers of Spreadsheet::ParseExcel have yet to release a patch to address CVE-2023-7101.

According to Barracuda, a Chinese threat actor tracked as UNC4841 has been exploiting the flaw “to deploy a specially crafted Excel email attachment to target a limited number of ESG devices,” on which the new variants of Seaspy and Saltwater backdoors have been deployed. In May, it came to light that the same hacker group targeted another zero-day (CVE-2023-2868) in ESG devices to install Saltwater, Seaside and Seaspy malware.

“On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” the vendor said in a security advisory.

The company further noted that only a limited number of ESG appliances worldwide were compromised and that no other Barracuda product, including its SaaS email solutions, was impacted by this vulnerability.

Back to the list

Latest Posts

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions.
17 February 2025
Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025