Amid Latest Hacks, Vendor Remediation Solutions Range from Multiple Security Patches to Free Hardware Replacements

Patch Tuesday seems so simple, with Microsoft releasing the newest security patches promising to plug vulnerabilities in its software. (Not so simple is getting busy IT pros to install the darn things.) Nor is Apple immune to exploitation. A June security alert provided its latest updates to address multiple product vulnerabilities across IOS, macOS, and watchOS. Yet despite our varied patching rituals, the cybersecurity landscape is increasingly complex and vulnerable.

Most recently, several security vulnerabilities have made headlines due to aggressive exploitation by a ransomware gang and hackers with ties to China. One vendor is providing a series of patches for its file transfer software, while another is urging complete hardware replacement because the email security risk is beyond patching. Holy CVE, Batman!

To Patch: Progress Software Releases Patch for MOVEit Transfer Vulnerability Found in May 2023

On May 27, 2023, Progress Software announced that a previously unknown SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer, its internet-facing managed file transfer solution, was being exploited by the CL0P ransomware gang—also known as TA505.

According to the CISA Cybersecurity Advisory issued by the Cybersecurity & Infrastructure Security Agency, MOVEit Transfer web applications were infected with a web shell that was then used to steal data from underlying MOVEit Transfer databases.

The CL0P ransomware gang has a recent history of exploiting zero-day vulnerabilities in file transfer devices in order to extort millions of dollars from its victims, including Accellion File Transfer Appliances in 2020 and 2021 and GoAnywhere file transfer servers in early 2023. And now MOVEit Transfer in May 2023.

MOVEit supports MySQL, Microsoft SQL Server, and Azure SQL database engines. According to the advisory, exploitation of the critical SQL injection vulnerability affects the following versions of MOVEit Transfer software: MOVEit Transfer 2023.0.x, 2022.1.x, 2022.0.x, 2021.1.x, 2021.0.x, 2020.1.x, and 2020.0.x.

In its May 31 announcement, Progress Software provided software patches for the MOVEit Transfer versions 2021–2023 above. A special patch is available for 2020.1.x, while customers using 2020.0.x are required to upgrade to a newer, supported version to ensure their transfer environment is secure. Progress urges immediate application of security patches.

Based on evidence of active exploitation, on June 2, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.

To Patch Again: Security Patches Issued for Two More Vulnerabilities Found in MOVEit Transfer in June 2023

On the heels of the critical vulnerability published May 31, 2023, as CVE-2023-34362, two new critical vulnerabilities in Progress Software’s MOVEit Transfer were announced on June 9, 2023 (CVE-2023-35036) and on June 15, 2023 (CVE-2023-35708).

In both cases, “SQL injection vulnerabilities were identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

• According to the June 9 announcement, the SQL vulnerabilities were found in “MOVEit Transfer versions released before 2021.0.7, 2021.1.5, 2022.0.5, 2022.1.6, 2023.0.2. All versions of MOVEit Transfer are affected by this vulnerability. Patches for this vulnerability are available for supported versions.” The Recommended Remediation section of the announcement provides links to the security patches.

• According to the June 15 announcement, the SQL vulnerabilities were found in “MOVEit Transfer versions released before 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, 2023.0.3” and included a privilege escalation vulnerability “that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action to help protect your MOVEit Transfer environment.” The Recommended Remediation section of the announcement provides links to the patches.

Progress Software has advised customers to apply all three patches, in chronological sequence beginning with May, to address the May 31, June 9, and June 15 vulnerabilities to ensure their versions of MOVEit Transfer are secure and fully updated.  

And Not to Patch: Barracuda to Replace Hacked Email Security Gateway Appliances

Also in May 2023, Barracuda Networks identified a remote command injection vulnerability in the Barracuda Email Security Gateway (appliance form factor only) in versions 5.1.3.001 through 9.2.0.006.

According to the company’s security advisory, the vulnerability (CVE-2023-2868) stemmed from “incomplete input validation of user-supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.”

Security Patches Applied But Not Effective. Barracuda's investigation, which is ongoing, determined that a third party did indeed employ this technique to gain unauthorized access to a subset of Email Security Gateway appliances. According to a timeline posted in the security advisory, “On May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide. On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods. A series of security patches were being deployed to all appliances in furtherance of our containment strategy.”

Within days, the company observed that “Despite deployment of additional patches based on known indicators of compromise (IOCs), we continue to see evidence of ongoing malware activity on a subset of the compromised appliances.”

Complete Replacement of Hardware Required. Based on that experience and additional information gleaned during its investigation, on June 6, 2023, Barracuda determined that hardware replacement would be required to fully address the zero-day vulnerability. The company noted that only about 5% of active ESG appliances worldwide have shown any evidence of compromise due to the vulnerability.

In the security advisory, the company stated that “Impacted ESG appliances must be immediately replaced regardless of patch version level. Out of an abundance of caution, Barracuda recommends full replacement of compromised ESG appliances,” adding that it will provide replacements to affected customers at no cost.

Investigative Conclusions. Barracuda summarized the primary conclusions resulting from the investigation, with the caveat that the investigation is ongoing.

• The vulnerability existed in a module that initially screens the attachments of incoming emails. “No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.”

• Earliest identified evidence of exploitation of the vulnerability (CVE-2023-2868) is currently October 2022. This vulnerability was exploited to obtain unauthorized access to a subset of ESG appliances.

• Malware was identified on a subset of appliances, which enabled persistent backdoor access, and there is evidence of data exfiltration on a subset of impacted appliances.

• The exploitation of this vulnerability is widely attributed to UNC4841, a hacking group known for conducting cyberespionage attacks for the People's Republic of China.

To aid in remediation, the security advisory lists the Network and Endpoint Indicators of Compromise as well as the malware that has been identified and provides a chronological description of incident events and responses. Barracuda also recommends that ESG customers rotate any credentials connected to their appliances and check for signs of compromise at least as far back as October 2022 using the network and endpoint indicators it has provided.

Summary

Today, we rely on a vast array of technology to run our businesses. As hardware and software have proliferated, the cybersecurity landscape has become increasingly complex and vulnerable. Hackers and scammers and ransomware gangs are aggressive in exploiting the security vulnerabilities in our digital assets, and vendors can barely keep up with security patches and hardware upgrades. When they do issue patches and software updates, customers need to take them seriously and apply them promptly. And when free hardware replacement is offered to resolve a vulnerability, there is no excuse for allowing your organization to remain at risk.