What’s new this week in security? It looks like hackers are very busy doing their hacking job.
Reading the news this week it is notable that the sophistication and the impact of some of the attacks are getting to a new level. The sophistication is about making them a “multipurpose attack” to expand the initial attack to other vectors such as credential harvesting, data exfiltration and more. It also includes persistence of those weaponization with a malware custom tooling that makes them self-connection restoring to the command and control. The impact is making web application Operating system and devices totally unusable post exploitation which is the ultimate damage.
The FBI issue a warning saying, “remove exploited Barracuda Email appliance from your network.” The wide coverages that FBI notification has encourage customers to verify if they are affected which is a good thing. Barracuda response time was impressive with next day software fix they said that only a subset of devices impacted by this incident, and they will replace any appliance that was affected. The Barracuda ESG appliance CVE is the classic example of how complex security can be, even if you fix it in one day and publish the hotfix the hackers sometime way ahead of the fix or even knowing about the vulnerability.
As part of a group that among other things does vulnerability management, we know how much work is involved in these situations and how challenging this can be. we send our strong support Barracuda folks. Until next time, keep it safe.
Hackers found a zero day and started exploiting vulnerable ESG appliance devices around June. The vendor was notified and a day later on May 19 they published a fix, an effort worth mention as 1 day patch is a fast response. The FBI started investigating some of the compromise devices and issued a warning saying: “…the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.”
Barracuda said only “subset of ESG appliances were impacted by this incident” and “Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance” which is the best solution in those cases.
FBI message PDF file https://www.ic3.gov/Media/News/2023/230823.pdf
Talking control on you device with WinRaAR vulnerability number 1 then number 2 and trying to do transaction on broker accounts. notable points from the news:
“Tracked as CVE-2023-40477 (CVSS score: 7.8), the vulnerability has been described as a case of improper validation while processing recovery volumes.
"The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer,"
An attacker can leverage this vulnerability to execute code in the context of the current process."
the flaw on June 8, 2023. The issue has been addressed in WinRAR 6.23 released on August 2, 2023. “
Then attacks started exploiting the second vulnerability that was in the same fix.
“On infected systems, Group-IB said, the hackers gained access to the victim’s broker accounts and attempted to conduct unauthorized transactions and withdraw funds. It’s unclear how much money they managed to steal. However, at least in some cases, the cybercriminals caused very small losses, such as $2. “
“The news comes just days after the disclosure of CVE-2023-40477, a different WinRAR vulnerability that can be exploited for arbitrary code execution by getting the targeted user to open a specially crafted file. “
The Flax Typhoon attack allows attacker the use of “Windows Management Instrumentation command-line” (WMIC) aka power shell to do anything you wish as an Admin.
The attack is nicely present in this article and it is worth reading to understand the many levels of hacking done here.
Path traversal is still working. notable points from the news:
“Path traversal protections were already in place to protect against exactly this kind of attack, but didn't defend against certain non-standard URL encoding for UTF-16 characters that were not supported by the embedded web server that was in use at the time, “
“ As a result, a threat actor could abuse this weakness to bypass authentication requirements for admin console pages. The vulnerability has since come under active exploitation in the wild, including by attackers associated with the Kinsing (aka Money Libra) crypto botnet malware.”
“ A Shodan scan conducted by the cybersecurity firm reveals that of more than 6,300 Openfire servers accessible over the internet, roughly 50% of them are running affected versions of the open-source XMPP solution.”