Highlights:
- Collaborating with Google LLC’s cybersecurity firm Mandiant, Barracuda attributed the group responsible for the attacks to the threat actor UNC4841.
- The group UNC4841, in previous operations, targeted companies and organizations in sectors such as military, defense, aerospace, high-tech, and telecommunications.
Barracuda Networks Inc. has addressed a vulnerability in its Email Security Gateway appliances that was reportedly exploited by a suspected hacking group, implementing necessary patches to enhance security.
Identified as CVE-2023-7102, the vulnerability is categorized as an arbitrary code execution vulnerability within a third-party library, Spreadsheet::ParseExcel. Arbitrary code execution vulnerability represents a security weakness enabling an attacker to execute commands or deploy code of their choosing on a targeted system or within a specific software application.
The identified threat actor exploiting the vulnerability was observed employing a specifically crafted Excel email attachment to target a restricted set of Email Security Gateway (ESG) devices. After gaining unauthorized access, the threat actor was observed deploying new strains of malware, namely Seaspy and Saltware, on several Email Security Gateway (ESG) devices.
Barracuda swiftly addressed the vulnerability by deploying a security update to all active Email Security Gateways (ESGs) on December 21. This update was automatically applied, eliminating the need for customers to take any manual action.
Collaborating with Google LLC’s cybersecurity firm Mandiant, Barracuda attributed the group responsible for the attacks to the threat actor UNC4841. The identical threat actor was linked to comparable attacks targeting Barracuda Email Security Gateways (ESGs) earlier in the year.
The prior attack on Barracuda Email Security Gateways (ESGs) was identified in May. In a subsequent analysis conducted by Mandiant, points of overlap between the infrastructure used by the threat actor UNC4841 and that of other hacking groups were identified.
While specific details regarding which Barracuda customers were targeted in the recent attack have not been disclosed, it is known that UNC4841 has a historical focus on espionage activities. The group UNC4841, in previous operations, targeted companies and organizations in sectors such as military, defense, aerospace, high-tech, and telecommunications.
In August, Erich Kron, security awareness advocate at KnowBe4 Inc., said, “Espionage continues to be a significant focus for many threat actors, especially those that are nation-state sanctioned.”
In response to the Spreadsheet::ParseExcel vulnerability addressed under CVE-2023-7102, Barracuda filed a second vulnerability, CVE-2023-7101. Currently, no known patch or update is available for the second vulnerability identified in the open-source library.
Barracuda advises organizations utilizing Spreadsheet::ParseExcel in their products or services to review CVE-2023-7101 and promptly implement necessary remediation measures.