SANS NewsBites

Barracuda Urges Users to Replace Compromised ESGs; CL0P Ransomware Group is Exploiting MOVEit Vulnerability; Prioritize MFA

June 9, 2023  |  Volume XXV - Issue #46

Top of the News


2023-06-08

Barracuda: Replace Compromised ESGs Right Away

Barracuda Networks is now urging users to replace compromised Email Security Gateways (ESGs) rather than attempt to patch them. On May 18, Barracuda learned that a zero-day vulnerability in the devices was being exploited; they released patches several days later. Barracuda’s investigation of the issue revealed that it has been exploited since at least October 2022.

Editor's Note

It is always recommended to rebuild systems involved in a compromise "from scratch," and to not just remove specific artifacts left behind by the attacker. But we hardly ever see a vendor's full support. I have not seen details about how Barracuda will replace the devices (easier if they are virtual), but applaud Barracuda. In particular for somewhat customized appliances, it can be difficult to conclusively assess what modifications were made by an attacker.

Johannes Ullrich
Johannes Ullrich

A long list of email security and web security gateways have been announcing discovering long resident zero days. Good idea to preemptively check patch status of ESGs and WSGs appliances in particular, and to prioritize threat hunting on those network segments.

John Pescatore
John Pescatore

Barracuda had previously said they were replacing affected appliances or virtual machines, which has likely generated a queue for physical hardware, so don't wait, get ahold of your sales rep (now) to not only get your request queued up, but also find out what your options are. Have your staff brush up on the replacement process, you don't want the replacement sitting on a shelf, or running in parallel or standby any longer than is absolutely needed. Consider recreating the configuration rather than exporting it from a potentially compromised device.

Lee Neely
Lee Neely

Well, this is the worst-case scenario. If someone has a Barracuda Email Security Gateway they want to send my way instead of sending it to the trash, I’m happy to have it. Will this keep Barracuda customers in their eco-system or move them to a cloud-based service? Hard to tell what the impact here is since many customers may be used to refreshing this hardware frequently.

Moses Frost
Moses Frost

It seems as though email security gateways have been a target of evil-doers over the last year. Even if you don’t use Barracuda appliances, I still recommend checking patch status for your chosen email security gateway. For Barracuda users, no time like the present to have that difficult customer service discussion with them… and update the appliance.

Curtis Dukes
Curtis Dukes

2023-06-08

CISA/FBI Advisory: MOVEit and CL0P

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory warning that the CL0P ransomware group is exploiting a critical vulnerability in Progress Software’s MOVEit Transfer application. The advisory includes a list of the indicators of compromise and tactics, techniques, and procedures associated with CL0P.


2023-06-08

Guide to Securing Remote Access Software

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD) has published a Guide to Securing Remote Access Software. The document includes sections with recommendations for MSP and SaaS Customers, for MSPs and IT administrators, for developers of products with remote access capabilities, and for all organizations.

The Rest of the Week's News


2023-06-08

US Dept. of the Interior OIG: Critical Systems at Risk

A report from the US Department of the Interior Office of Inspector General conducted an inspection of the agency’s password management and enforcement policies. The OIG” found that the Department’s computer system authentication mechanisms and account management practices exhibited weaknesses similar to those that were reportedly exploited in the Colonial Pipeline attack.”

Editor's Note

The major finding was a failure to move to MFA for most (89%) of high value assets. The DoI response was to cite many memos that were written and to state “The Department and the bureaus and offices will take a risk-based approach in prioritizing the conversion of systems and applications from legacy authentication methods to MFA.” There is no real risk-based approach that wouldn’t prioritize moving away from reusable passwords for critical systems. The issue is not risk assessment, it is overcoming bureaucratic and operational obstacles to having a successful transition to strong, phishing-resistant authentication.

John Pescatore
John Pescatore

This problem is easier to work today than even five years ago. Everyone got excited about not having to change passwords when NIST SP 800-63-3 came out a few years back. Unfortunately, many didn't catch the part about reviewing them against breach data, not allowing banned words, etc. The good news is there are services you can integrate with your domain controllers to help AD managed passwords meet these requirements, including services in Microsoft Azure. Even so, you're not done at that point: you need to make sure that local passwords and systems not authenticating against AD are included. The good news is most applications now support SAML 2.0 or other mechanisms your IDP already speaks, and the IDP can enable SSO, MFA, and other authentication improvements without re-working the services and applications behind them.

Lee Neely
Lee Neely

This OIG report simply highlights the fact that [weak] passwords are still the primary authentication mechanism throughout the federal government. EO 14028, Improving the Nation’s Cybersecurity, called for a move to a zero-trust architecture, with an emphasis on multi-factor authentication (MFA). OMB followed shortly with their own memorandum, M-22-09, that required agencies to meet specific cybersecurity standards in the EO by end of FY2024. I suspect password changes will be made in the short-term but doubtful that we’ll see a move to MFA for another year or so.

Curtis Dukes
Curtis Dukes

2023-06-07

US Cyberspace Solarium Commission 2.0 Report Calls for Rewriting PPD-21

A new report from the Cyberspace Solarium Commission 2.0 calls for revising US Presidential Policy Directive 21 (PPD-21), which informs the public-private sector relationship to improve the cybersecurity of the country’s critical infrastructure. Among the recommendations: clarify CISA’s roles and responsibilities as National Risk Management Agency, and strengthen CISA’s capabilities to fulfill those roles and responsibilities.


2023-06-08

Google Addresses Gmail Spoofing Vulnerability

Google has taken steps to address an issue in the recently-introduced Brand Indicators for Message Identification (BIMI) authentication method. Google told SC Media that the “issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.”


2023-06-07

VMware Releases Patches for Three Flaws in Aria Operations for Networks

VMware has published fixes for three vulnerabilities in Aria Operations for Networks, which was formerly known as vRealize Network Insight. All three flaws – a command injection vulnerability, an authenticated deserialization vulnerability, and an information disclosure vulnerability – require network access for exploitation.


2023-06-08

Microsoft Visual Studio Installer Vulnerability

Microsoft released a patch for a vulnerability in Visual Studio Installer with its April scheduled patch release. While the vulnerability was rated moderate severity, researchers from Varonis maintain that because it is easily exploitable and affects a product with a 26 percent market share, it merits more immediate attention. The flaw could be exploited to distribute malicious extensions to app developers.


2023-06-07

Cisco Releases Updates to Fix AnyConnect Privilege Elevation Vulnerability

Cisco has released fixes to address a privilege elevation issue affecting the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. The “vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process.”


2023-06-08

Japanese Pharmaceutical Company Hit by Ransomware Attack

The Eisai Group, a Japanese pharmaceutical company, has disclosed that its network was hit by a ransomware attack earlier this month; several servers were encrypted. Eisai took some of its systems offline while it responds to the incident.

Editor's Note

The attack included systems both in and out of Japan, so the impacts may be broader than you may think. Here is a good example of what a prepared response team can do. Note that they are also making a forward-looking statement looking at financial impacts - giving a heads-up to stakeholders sooner than later.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Geoserver Scans

https://isc.sans.edu/diary/Ongoing+scans+for+Geoserver/29926

DMARC in .co TLD

https://isc.sans.edu/diary/Management+of+DMARC+control+for+email+impersonation+of+domains+in+the+co+TLD+part+2/29922

Github Copilot vs Google: Which Code is More Secure

https://isc.sans.edu/diary/Github+Copilot+vs+Google+Which+code+is+more+secure/29918

RSA Webcast: Another Look at the Five Most Dangerous Attack Techniques

https://www.rsaconference.com/library/webcast/149-sans-followup-2023

Barracuda Recommends Replacing Compromised Devices

https://www.barracuda.com/company/legal/esg-vulnerability

Google Improves Chrome Password Manager

https://www.msn.com/en-us/news/other/chrome-adds-windows-biometric-logins-to-its-password-powers/ar-AA1ciCCf

Minecraft Mods Include Malicious Code

https://www.bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux/

Trend Micro Service Pack

https://files.trendmicro.com/documentation/readme/Apex%20One/2020/apex_one_2019_win_cp_b12033_EN_Critical_Patch_Readme.html

Three Vulnerabilities in VMWare Aria Operations for Networks

https://www.vmware.com/security/advisories/VMSA-2023-0012.html

SpinOK Spyware SDK found in Android Apps

https://vms.drweb.com/search/?q=Android.Spy.SpinOk&lng=en

https://www.cloudsek.com/threatintelligence/supply-chain-attack-infiltrates-android-apps-with-malicious-sdk

Cisco AnyConnect Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Android Update

https://source.android.com/docs/security/bulletin/2023-06-01

Chrome Updates

https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html

FBI Warns of Manipulated Photos and Videos For Sextortion

https://www.ic3.gov/Media/Y2023/PSA230605