F5 SIRT This Week in Security

 

MOVEit, Barracuda ESG CVEs, Alexa-Ring FTC case, MCNA breach, PYPI PYC malware evasion - May 29th-June 4th 2023

Introduction

Arvin is your editor for F5 SIRT's This Week in Security covering 29th May to 4th June 2023.

Here's the quick summary of the security news I found interesting.

First on the list, MOVEit is vulnerable to an unauthenticated sql injection attack in the MOVEit Transfer web application, dubbed as a critical and assigned CVE-2023-34362. This vulnerability is being mass exploited per Mandiant's report, attributed to threat cluster UNC4857 and deploys the LEMURLOOT webshell which is used in further exploitation. Fixes were released by Progress, MOVEit's creator and recommended installations to be updated ASAP.

Amazon Ring and Alexa products were collecting sensitive data from users - video, children's voice recordings kept indefinitely until Parent's requests its deletion per Children’s Online Privacy Protection Act (which they claim they used to train their AI to recognize children's voices, ), images - , retained the data and seemingly made it unnecessarily accessible to their employees and contractors. A privacy nightmare. America's Federal Trade Commission fined Amazon $30.8 million. In my opinion, a very small price to pay for the potential/damage to affected users. Technology companies should do better in protecting their user's sensitive data.

Managed Care of North America (MCNA), a dental insurer was breached by the LockBit gang, who also breached SickKids - hospital for Sick kids based in Canada. MCNA also provide "free or low-cost" health coverage to some low-income people, families and children, pregnant women, the elderly, and people with disabilities. The LockBit gang breached MCNA, accessed "certain systems" and "remove copies of some personal information" .The LockBit ransomware gang claimed "credit" for the attack and published data, including, presumably, the children's information, back in March, to its own dark web blog site – seemingly after ransom demands were not met. MCNA offered affected individuals 12 months of credit monitoring with identity theft protection service IDX. The entry point of a breach can be a wide surface. As defenders, we should keep our systems up to date on software fixes, ensure protections such as AV, EDR are installed and up to date, access to organization's systems are provided only to trusted users and implement additional authentication checks such as 2FA and security controls, implement WAFs, IPS and FWs, logging, monitoring and alerting systems that would make it harder for threat groups to attempt the attack. It is a big task but necessary.

An unnamed threat actor has been exploiting Barracuda Email Security Gateway CVE-2023-2868, a remote command injection vulnerability due to incomplete input validation of user supplied .tar files containing files with crafted file names and would result in remotely executing a system command through Perl's qx operator with the privileges of the ESG. Per Barracuda's announcement, "ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now." Compromised devices for this CVE were further exploited by dropping malware into it namely, Saltwater - backdoor for file transfer, proxy and tunneling capabilities , Seaspy - backdoor to monitor traffic on port 25, similar to cd00r, which functions like a PCAP filter and Seaside - Lua-based module that monitors incoming SMTP HELO/EHLO commands for the command-and-control IP addresses and ports to use and establish a reverse shell for further exploitation.

Mixing malware with Python byte code (PYC) evades security tools - because the tools are only checking source code files and not compiled output. The fshec2 package using the described technique were found by security researchers lurking in the Python Package Index repository - a supply chain risk. PYPI was previously attacked thru automated account creation and submissions which provided the smoke screen that made the detection of this technique harder. After this issue was reported to the PYPI security team, the package was removed and they will be working to harden its repo' security.

Credit to the original posts.

I hope these security news are informative. Thanks for reading and see you on the next one.

Deployed publicly accessible MOVEit Transfer? Oh no. Mass exploitation underway

Security researchers and the US government have sounded the alarm on a flaw in Progress Software's MOVEit Transfer that criminals have been "mass exploiting" for at least a month to break into IT environments and steal data.

Progress disclosed some info about the SQL-injection vulnerability in its multi-tool file-transfer product on Wednesday, and warned that exploitation "could lead to escalated privileges and potential unauthorized access to the environment."

The software maker has just released patches for the security hole. There's now MOVEit Transfer 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, and 2021.0.6 available to fix the insecure code.

Earlier the biz urged customers to take "immediate action" (in other words: move it!) to protect their environments, including disabling all HTTP and HTTPS traffic to deployments of MOVEit Transfer.
https://www.theregister.com/2023/06/01/moveit_transfer_zero_day/

Progress, the maker of MOVEit documented their vulnerability response and timeline - this critical vulnerability is assigned CVE-2023-34362

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Mandiant documented their research on CVE-2023-34362. It also include an analysis of the webshell LEMURLOOT used on this MOVEit CVE/exploit and its sample file hashes which organizations can use to check if this webshell ended up on their systems, an indicator of compromise. There is also a YARA rule for detecting LEMURLOOT ASP.NET scripts

LEMURLOOT Analysis

LEMURLOOT is a web shell written in C# tailored to interact with the MOVEit Transfer platform. The malware authenticates incoming connections via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with LEMURLOOT is gzip compressed.
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

There is also a PoC video of this MOVEit CVE
https://www.linkedin.com/posts/johnhammond010_the-moveit-transfer-exploitation-is-not-just-activity-7071667381848182784-rlrx?utm_source=share&utm_medium=member_desktop

Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine

America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.

The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”

“Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” reads the FTC's complaint.
https://www.ftc.gov/system/files/ftc_gov/pdf/complaint_ring.pdf

“Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted,” the FTC alleged. “And even when a parent sought to delete that information… Amazon failed to delete transcripts of what kids said from all its databases.”

Amazon argued the data retention was necessary to, among other things, train Alexa’s underlying AI models to improve the recognition of children’s voices.

Unfortunately for Amazon, the US Children’s Online Privacy Protection Act requires parents to be informed of how data about kids under-13 is used, and such data is to be expunged if it is no longer needed to provide a service

The FTC has proposed an order that will see Ring cough up $5.8 million (£4.7 million) to settle the matter.
https://www.ftc.gov/system/files/ftc_gov/pdf/proposed_stipulated_order_ring.pdf

Amazon has also agreed to pay $25 million (£21 million) to settle the Alexa-and-kids-related allegations.

In a statement, an Amazon spokesperson said: “While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.”

https://www.theregister.com/2023/06/01/ftc_alexa_ring_amazon_settlement/
https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-doj-charge-amazon-violating-childrens-privacy-law-keeping-kids-alexa-voice-recordings-forever

Criminals spent 10 days in US dental insurer's systems extracting data of 9 million

LockBit gang claimed 'trophy' of spilling low income families' details.

The criminals who hit one of the biggest government-backed dental care and insurance providers in the US earlier this year hung about for 10 days while they extracted info on nearly 9 million people, including kids from poverty-stricken homes.

Managed Care of North America (MCNA) bills itself as "providing high quality services to state agencies and managed care organizations for their Medicaid, Children's Health Insurance Program (CHIP), and Medicare members." Medicaid and CHIP provide "free or low-cost" health coverage to some low-income people, families and children, pregnant women, the elderly, and people with disabilities.

According to the breach notice, available on the group's website - https://response.idx.us/MCNA-Information/ -, and also in a filing with the attorney general for the state of Maine - https://apps.web.maine.gov/online/aeviewer/ME/40/895b95c8-abc8-41f1-8c3f-b0415575de56.shtml - , the attackers broke into MCNA's servers on February 26 and were able to access "certain systems" and "remove copies of some personal information" between then and March 7. This included a huge range of data, from patients' full names, dates of birth, addresses, telephone numbers, and email addresses to their Social Security numbers, driver's license numbers or government ID numbers, and health insurance information, and in some cases even included dental X-rays. The company claimed "not all data elements were involved for all individuals."

Along with an apology, MCNA offered affected individuals 12 months of credit monitoring with identity theft protection service IDX, which some would consider to be on the low side considering the amount of personally identifiable information about customers of MCNA clients that was leaked, as well as advice on how to "check your bills and accounts to be sure they look correct." The affected individuals only have until a certain date to activate the credit monitoring, a field left blank on the form letter the group sent to affected patients. We've asked it for more info.

It added:

Because we may not have addresses for everyone, we are posting this substitute notice on this website, as allowed by the Health Insurance Portability and Accountability Act (HIPAA). This substitute notice will remain active for at least 90 days.

https://www.theregister.com/2023/05/31/mcna_breach/

A related article on the January 2023 Sickkids ransomware attack
https://www.wired.co.uk/article/lockbit-ransomware-attacks

FBI report on Lockbit TTPs

https://www.ic3.gov/Media/News/2022/220204.pdf

Barracuda Email Security Gateways bitten by data thieves

Act now: Sea-themed backdoor malware injected via .tar-based hole

A critical remote command injection vulnerability in some Barracuda Network devices that the vendor patched 11 days ago has been exploited by miscreants – for at least the past seven months.

Barracuda said it discovered the bug, tracked as CVE-2023-2868, in its Email Security Gateway (ESG) appliance on May 19 and pushed a patch to all of these products globally the following day.

In a security alert posted on Tuesday, however, the vendor disclosed that the vulnerability was under active exploit long before the patch arrived. The flaw, which affects versions 5.1.3.001 to 9.2.0.006 of the ESG appliance, can and has been abused to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes.

The attackers exploited the hole to break into "a subset" of Barracuda ESG appliances, and then dropped in some malware to allow for persistent backdoor access and data theft, we're told.

Soon after spotting abnormal traffic originating from its email security products, Barracuda called in Mandiant to help with an investigation.

Last Friday, the US government's Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-2868 to its Known Exploited Vulnerabilities Catalog.
https://www.cisa.gov/news-events/alerts/2023/05/26/cisa-adds-one-known-exploited-vulnerability-catalog

Saltwater, Seaspy and Seaside, oh my
The flaw, a remote command injection vulnerability, is due to incomplete input validation of a user-supplied .tar archive. Remote attackers can format the filenames in that archive in a way that allows them to execute a system command through Perl's qx operator when the file is processed.

After exploiting CVE-2023-2868 in the wild, the unnamed attacker deployed three types of malware on the compromised email security devices.

First, a backdoor dubbed Saltwater for uploading and downloading files, and executing commands. It also included proxy and tunneling capabilities.

Next, the crooks deployed Seaspy, an x64 persistence backdoor disguised as a legitimate Barracuda service. Seaspy establishes itself as a PCAP packet filter to monitor network traffic on port 25.

This piece of malware shares some code with cd00r, a publicly available backdoor, according to Mandiant and Barracuda.

And finally, Seaside is a Lua-based module that monitors incoming SMTP HELO/EHLO commands that, interestingly enough, tell it which command-and-control IP addresses and ports to use, and establishes a reverse shell for the attackers to issue commands.

Customers should ensure that their ESG appliances are receiving and installing updates and patches, and if your product has been compromised: stop using it and contact Barracua, support[at]barracuda[dot]com. See the advisory for indicators of compromise.

https://www.theregister.com/2023/05/31/datastealing_email_attack_bites_barracuda/
https://www.barracuda.com/company/legal/esg-vulnerability

This malicious PyPI package mixed source and compiled code to dodge detection

Researchers recently uncovered the following novel attack on the Python Package Index (PyPI).

ReversingLabs detected a Python package in April that mixed malware with compiled code as a way to evade detection by security tools that only check source code files and not compiled output.

"It may be the first supply chain attack to take advantage of the fact that Python byte code (PYC) files can be directly executed, and it comes amid a spike in malicious submissions to the Python Package Index," Karlo Zanki, a reverse engineer at ReversingLabs, wrote in a report on Thursday.

"If so, it poses yet another supply chain risk going forward, since this type of attack is likely to be missed by most security tools, which only scan Python source code (PY) files."

That said, PyPI is working to harden its security. That means removing automatic PGP signature support, announcing Amazon Web Services as the group's security sponsor – including a $144,000 investment to fund security projects – and creating a security engineer role.

https://www.theregister.com/2023/06/02/novel_pypi_attack_reversinglabs/
https://www.reversinglabs.com/blog/pypi-hackers-code-new-tactic.-researchers-caught-em-red-handed