Barracuda Says ‘Small Number’ Of ESG Customers Impacted In New Attacks
The attacks — which Barracuda and Mandiant attributed to the same China-linked group behind prior attacks against Email Security Gateway customers — have been exploiting a vulnerability in a third-party library.
Barracuda said Tuesday that a “small number” of Email Security Gateway customers have been impacted in a new wave of attacks attributed to a China-linked group.
Google Cloud-owned cybersecurity firm Mandiant took part in attributing the new Barracuda ESG attacks to a group it tracks as UNC4841, which is believed to work in support of China’s government. Mandiant had previously attributed the widespread 2023 attacks against Barracuda ESG customers to UNC4841.
[Related: 10 Major Cyberattacks And Data Breaches In 2023]
On Dec. 24, Barracuda disclosed that some ESG customers have been impacted in the new attacks exploiting a vulnerability in a third-party library. The arbitrary code execution vulnerability (tracked at CVE-2023-7102) has now been patched, Barracuda said in the Dec. 24 post.
In a statement provided to CRN on Tuesday, the company noted that the vulnerability “is the same vulnerability as previously uncovered, but in this instance, it is being used specifically in the open-source library of the Barracuda ESG product.”
“Only a small number of ESG customers are impacted by this,” Barracuda said in the statement.
A second vulnerability disclosed Dec. 24, tracked at CVE-2023-7101, “is in a third-party open-source library, ExcelParser, not owned by Barracuda,” the company said. “We filed the CVE to encourage the author to patch this vulnerability.”
2023 Attacks
Initially disclosed by Barracuda in late May 2023, the previous attack campaign leveraged a critical vulnerability in the company’s ESG on-premises appliances. Further investigation from the company and Mandiant found that the vulnerability had been exploited as far back as October 2022.
Barracuda disclosed in June that it believed 5 percent of active ESG appliances had been compromised by attackers.
The attacks prompted the highly unusual recommendation from Barracuda that affected customers should actually replace their ESG devices.
Mandiant researchers reported that government agencies were “disproportionately” targeted in the attacks, with a particular focus on the U.S.
As late as August 2023, Barracuda was saying that it “continues to recommend that impacted customers replace their compromised appliance.” The company noted that it would provide replacement devices for free to impacted customers.