Patch Tuesday seems so simple, with Microsoft releasing the newest security patches promising to plug vulnerabilities in its software. (Not so simple is getting busy IT pros to install the darn things.) Nor is Apple immune to exploitation. A June security alert provided its latest updates to address multiple product vulnerabilities across IOS, macOS, and watchOS. Yet despite our varied patching rituals, the cybersecurity landscape is increasingly complex and vulnerable.
Most recently, several security vulnerabilities have made headlines due to aggressive exploitation by a ransomware gang and hackers with ties to China. One vendor is providing a series of patches for its file transfer software, while another is urging complete hardware replacement because the email security risk is beyond patching. Holy CVE, Batman!
On May 27, 2023, Progress Software announced that a previously unknown SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer, its internet-facing managed file transfer solution, was being exploited by the CL0P ransomware gang—also known as TA505.
According to the CISA Cybersecurity Advisory issued by the Cybersecurity & Infrastructure Security Agency, MOVEit Transfer web applications were infected with a web shell that was then used to steal data from underlying MOVEit Transfer databases.
The CL0P ransomware gang has a recent history of exploiting zero-day vulnerabilities in file transfer devices in order to extort millions of dollars from its victims, including Accellion File Transfer Appliances in 2020 and 2021 and GoAnywhere file transfer servers in early 2023. And now MOVEit Transfer in May 2023.
In its May 31 announcement, Progress Software provided software patches for the MOVEit Transfer versions 2021–2023 above. A special patch is available for 2020.1.x, while customers using 2020.0.x are required to upgrade to a newer, supported version to ensure their transfer environment is secure. Progress urges immediate application of security patches.
Based on evidence of active exploitation, on June 2, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
On the heels of the critical vulnerability published May 31, 2023, as CVE-2023-34362, two new critical vulnerabilities in Progress Software’s MOVEit Transfer were announced on June 9, 2023 (CVE-2023-35036) and on June 15, 2023 (CVE-2023-35708).
In both cases, “SQL injection vulnerabilities were identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”
According to the June 15 announcement, the SQL vulnerabilities were found in “MOVEit Transfer versions released before 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, 2023.0.3” and included a privilege escalation vulnerability “that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action to help protect your MOVEit Transfer environment.” The Recommended Remediation section of the announcement provides links to the patches.
Progress Software has advised customers to apply all three patches, in chronological sequence beginning with May, to address the May 31, June 9, and June 15 vulnerabilities to ensure their versions of MOVEit Transfer are secure and fully updated.
Also in May 2023, Barracuda Networks identified a remote command injection vulnerability in the Barracuda Email Security Gateway (appliance form factor only) in versions 5.1.3.001 through 9.2.0.006.
According to the company’s security advisory, the vulnerability (CVE-2023-2868) stemmed from “incomplete input validation of user-supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.”
Within days, the company observed that “Despite deployment of additional patches based on known indicators of compromise (IOCs), we continue to see evidence of ongoing malware activity on a subset of the compromised appliances.”
Complete Replacement of Hardware Required. Based on that experience and additional information gleaned during its investigation, on June 6, 2023, Barracuda determined that hardware replacement would be required to fully address the zero-day vulnerability. The company noted that only about 5% of active ESG appliances worldwide have shown any evidence of compromise due to the vulnerability.
In the security advisory, the company stated that “Impacted ESG appliances must be immediately replaced regardless of patch version level. Out of an abundance of caution, Barracuda recommends full replacement of compromised ESG appliances,” adding that it will provide replacements to affected customers at no cost.
Investigative Conclusions. Barracuda summarized the primary conclusions resulting from the investigation, with the caveat that the investigation is ongoing.
The vulnerability existed in a module that initially screens the attachments of incoming emails. “No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.”
Earliest identified evidence of exploitation of the vulnerability (CVE-2023-2868) is currently October 2022. This vulnerability was exploited to obtain unauthorized access to a subset of ESG appliances.
Malware was identified on a subset of appliances, which enabled persistent backdoor access, and there is evidence of data exfiltration on a subset of impacted appliances.
The exploitation of this vulnerability is widely attributed to UNC4841, a hacking group known for conducting cyberespionage attacks for the People's Republic of China.
To aid in remediation, the security advisory lists the Network and Endpoint Indicators of Compromise as well as the malware that has been identified and provides a chronological description of incident events and responses. Barracuda also recommends that ESG customers rotate any credentials connected to their appliances and check for signs of compromise at least as far back as October 2022 using the network and endpoint indicators it has provided.
Today, we rely on a vast array of technology to run our businesses. As hardware and software have proliferated, the cybersecurity landscape has become increasingly complex and vulnerable. Hackers and scammers and ransomware gangs are aggressive in exploiting the security vulnerabilities in our digital assets, and vendors can barely keep up with security patches and hardware upgrades. When they do issue patches and software updates, customers need to take them seriously and apply them promptly. And when free hardware replacement is offered to resolve a vulnerability, there is no excuse for allowing your organization to remain at risk.