Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.
Additionally, the vulnerability targeted only a limited number of ESG devices.
However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.
The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.
Chinese Hackers Exploit New Zero-Day
This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.
This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.
The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.
However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.
Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.
Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.
Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.
Indicators of Compromise
| Malware | MD5 Hash | SHA256 | File Name(s) | File Type |
| CVE-2023-7102 XLS Document | 2b172fe3329260611a9022e71acdebca | 803cb5a7de1fe0067a9eeb220dfc24ca56f3f571a986180e146b6cf387855bdd | ads2.xls | xls |
| CVE-2023-7102 XLS Document | e7842edc7868c8c5cf0480dd98bcfe76 | 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd | don.xls | xls |
| CVE-2023-7102 XLS Document | e7842edc7868c8c5cf0480dd98bcfe76 | 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd | personalbudget.xls | xls |
| SEASPY | 7b83e4bd880bb9d7904e8f553c2736e3 | 118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7 | wifi-service | x-executable |
| SALTWATER | d493aab1319f10c633f6d223da232a27 | 34494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8ba | mod_tll.so | x-sharedlib |
Network IOCs
| IP Address | ASN | Location |
| 23.224.99.242 | 40065 | US |
| 23.224.99.243 | 40065 | US |
| 23.224.99.244 | 40065 | US |
| 23.224.99.245 | 40065 | US |
| 23.224.99.246 | 40065 | US |
| 23.225.35.234 | 40065 | US |
| 23.225.35.235 | 40065 | US |
| 23.225.35.236 | 40065 | US |
| 23.225.35.237 | 40065 | US |
| 23.225.35.238 | 40065 | US |
| 107.148.41.146 | 398823 | US |
