Community and e mail safety agency Barracuda says it remotely patched all lively E mail Safety Gateway (ESG) home equipment on December 21 in opposition to a zero-day bug exploited by UNC4841 Chinese language hackers.

The corporate deployed a second wave of safety updates a day afterward already compromised ESG home equipment the place the attackers deployed SeaSpy and Saltwater malware.

Disclosed on Christmas Eve and tracked as CVE-2023-7102, the zero-day is because of a weak point within the Spreadsheet::ParseExcel third-party library utilized by the Amavis virus scanner operating on Barracuda ESG home equipment.

Attackers can exploit the flaw to execute arbitrary code on unpatched ESG home equipment by way of parameter injection.

The corporate additionally filed the CVE-2023-7101 CVE ID to trace the bug individually within the open-source library, which continues to be awaiting a patch.

“No motion is required by clients right now, and our investigation is ongoing,” Barracuda mentioned in an advisory issued on December 24.

“Barracuda, working in collaboration with Mandiant, assesses this exercise is attributable to continued operations of the China nexus actor tracked as UNC4841.

“For organizations using Spreadsheet::ParseExcel in their very own services or products, we suggest reviewing CVE-2023-7101 and promptly taking crucial remediation measures.”

Second wave of zero-day assaults this 12 months

In Could, the identical hacker group used one other zero-day (CVE-2023-2868) to focus on Barracuda ESG home equipment as a part of a cyber-espionage marketing campaign.

Barracuda revealed the zero-day had been abused in assaults for at the very least seven months, since at the very least October 2022, to deploy beforehand unknown malware and exfiltrate information from compromised programs.

​They deployed SeaSpy and Saltwater malware and the SeaSide malicious software to achieve distant entry to hacked programs through reverse shells.

Submarine (aka DepthCharge) and Whirlpool malware was deployed in the identical assaults as later-stage payloads to keep up persistence to a small variety of beforehand compromised units on networks of high-value targets.

The attackers’ motivation was espionage, with UNC4841 hackers partaking in focused exfiltration from breached networks to high-profile authorities and high-tech customers.

​Nearly a 3rd of home equipment hacked within the Could marketing campaign belonged to authorities businesses, most of them between October and December 2022, in line with cybersecurity agency Mandiant.

Barracuda warned clients after the Could assaults that they should change all compromised home equipment instantly, even these they’d already patched (round 5% of all home equipment had been breached within the assaults).

Barracuda says greater than 200,000 organizations worldwide use its merchandise, together with prime firms like Samsung, Kraft Heinz, Mitsubishi, and Delta Airways.