A Barracude ESG zero-day tracked as CVE-2023-2868 came to light in May of 2023 and had been exploited since at least October of 2022 to deliver malware and steal data from a limited amount of organizations that had been using the email security product. In the attacks, hackers used the vulnerability to access the Barracuda devices by sending emails to the targeted organizations. The groups then used backdoors SeaSpy, SaltWater and SeaSide, along with trojanized versions of Barracuda LUA modules.

On Christmas Eve, it was announced that the same China-linked group had identified a new vulnerability impacting ESG appliances. The flaw is an arbitrary code execution vulnerability and impacts an open source library used by the Amavis virus scanner present in ESG devices. This new vulnerability was exploited in similar ways to deliver new variants of the SeaSpy and SaltWater malware to a limited number of devices. Barracuda issued a patch for the vulnerability and said that no action was required by customers at that time. The company has made new indicators of compromise available for the recently observed malware variants, infrastructure and exploits.

Read More: Chinese Hackers Deliver Malware to Barracuda Email Security Appliances via New Zero-Day