IT News

On May 31, 2023, Progress Software released a security bulletin about a critical vulnerability in MOVEit Transfer.

The security bulletin states:

“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.“

This means the vulnerability could lead to an attacker gaining escalated privileges and unauthorized access to the environment.

MOVEit Transfer is a widely used file transfer software which encrypts files and uses secure File Transfer Protocols to transfer data. As such it has a large userbase in the healthcare industry and many others. Progress advertises MOVEit as the leading secure Managed File Transfer (MFT) software used by thousands of organizations around the world to provide complete visibility and control over file transfer activities.

To give you an idea of the possible impact, a Shodan search query for exposed MOVEit Transfer instances yielded over 2,500 results, most of which belong to US customers.

Several researchers have observed that this vulnerability is being exploited in the wild. BleepingComputer says it has information that cybercriminals have been exploiting the zero-day in the MOVEit MFT software to perform massive data downloads from organizations.

The method used to compromise systems is to drop a webshell in the wwwroot folder of the MOVEit install directory. This allows the attacker to obtain a list of all folders, files, and users within MOVEit, download any file within MOVEit, and insert an administrative backdoor user into, giving attackers an active session to allow credential bypass

The Cybersecurity and Infrastructure Agency (CISA) is urging users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.

Several researchers have provided methods to make the hunt easy. These are the ones I could find:

• MoveIT-WebShellCheck a Python script by ZephrFish
• Sigma rule by Florian Roth
• Yara rule by Florian Roth
• Sigma rule by tsale

Note: A Sigma rule is a generic and open YAML-based signature format that enables a security operations team to describe relevant log events in a flexible and standardized format. YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics.

Mitigation

All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version.

The method recommended by Progress is to:

1. Disable web traffic

Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied. It is important to note, that until HTTP and HTTPS traffic is enabled again:

• Users will not be able to log on to the MOVEit Transfer web UI 
• MOVEit Automation tasks that use the native MOVEit Transfer host will not work
• REST, Java and .NET APIs will not work
• MOVEit Transfer add-in for Outlook will not work
• SFTP and FTP/s protocols will continue to work as normal
• Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.

2. Review, Delete and Reset

• Delete unauthorized files and user accounts
• Delete any instances of the human2.aspx and .cmdline script files.
• On the MOVEit Transfer server, look for any new files created in the C:MOVEitTransferwwwroot directory, and for new files created in the C:WindowsTEMP
  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  
  
  directory with a file extension of [.]cmdline
• Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
• Reset Credentials
• Reset service account credentials for affected systems and MOVEit Service Account

3. Apply the Patch

Patches for all supported MOVEit Transfer versions are linked below. Please note, the license file can remain the same to apply the patch.

4. Enable we traffic, verify, monitor

Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment. Then confirm the files have been successfully deleted and no unauthorized accounts remain by following follow the steps under “Review, Delete and Reset” again. If you do find indicators of compromise, you should reset the service account credentials again. Monitor network, endpoints, and logs for IoCs (Indicators of Compromise).

Malwarebytes

Malwarebytes blocks traffic to five malicious IP addresses—138.197.152.201, 209.97.137.33, 5.252.191.0/24, 148.113.152.144, 89.39.105.108—that were found to look for vulnerable systems, and detects the malicious C:MOVEitTransferwwwroothuman2.aspx as Exploit.Silock.MOVEit.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Idaho Falls Community Hospital fell victim to a cyberattack on Monday May 29, 2023. As a result, the hospital had to divert ambulances to other nearby hospitals and close some of its clinics. 

The hospital is keeping the public updated through its website and Facebook page.

“Our commitment to our patients’ well-being continues to remain our top priority. As we continue to recover from a cyberattack, we want to assure everyone Idaho Falls Community Hospital and Mountain View Hospital remain open and continue to safely care for all our patients. The vast majority of our partner clinics are also seeing patients as usual. Our doctors, nurses and other care providers continue to be here for you.”

The hospital said that patients will be contacted by their provider if their appointments are impacted.

According to the initial statement, the hospital’s IT team identified the attack quickly and took immediate action to limit the impacts and keep all patient information safe and secure.

While the exact nature of the cyberattack is unknown at this point and the hospital calls it a “virus”, it is more likely that it is dealing with a ransomware attack. By definition, a virus is a program or piece of code, that runs against your wish and can replicate itself. I put emphasis on “replicate” for a reason. This is because the replication factor is a very important component in the definition of a virus.

Viruses are usually destructive in nature and almost never yield monetary gain to the cybercriminals. Ransomware is just as crippling, but its primary goal is extortion, which is usually paired with data theft. The stolen data will be used as extra leverage to convince the victim to pay, or else the data will be sold or published. And since the hospital emphasized that they managed to “keep all patient information safe and secure” this is a more likely scenario than an actual virus.

It is no secret that healthcare providers are attractive targets to ransomware gangs. Because of their nature they offer a large attack surface. That means they use all kinds of equipment which could be vulnerable and they need to be easily accessible both on and offline. On top of that they are likely to have a host of sensitive data stored on their systems.

Early on during the COVID-19 pandemic, promises were made by some ransomware gangs to leave hospitals alone. But cybercriminals behaving like criminals isn’t something we should be shocked about, and attacks on healthcare providers have been on the rise ever since.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Every single Amazon Ring employee was able to access every single customer video, even when it wasn’t necessary for their jobs. 

Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.

That’s what the FTC has alleged in a recent complaint, for which Amazon is facing a settlement of $5.8 million.

And, unsurprisingly, some employees abused that access right. 

In one example, the FTC says a Ring employee viewed thousands of videos from at least 81 different female users. The employee allegedly went looking for camera feeds that suggested they may have been used in the most private of areas, such as “Master Bedroom,” “Master Bathroom,” and “Spy cam”. 

Between June and August 2017, the employee looked through the videos for at least an hour a day on hundreds of occasions. Another employee noticed and reported it to their supervisor who allegedly told them that it was “normal” for an engineer to view so many accounts.

From the FTC complaint:

“Only after the supervisor noticed that the male employee was only viewing videos of “pretty girls” did the supervisor escalate the report of misconduct. Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment.”

As a result of that incident, Ring narrowed its employees’ access rights in September 2017, so that customers had to consent to customer service agents accessing their videos. However, Ring continued to allow hundreds of other employees and third-party contractors access to all video data, regardless of whether they actually needed it in order to perform their jobs.

So, then, more abuse of that access occurred. In January 2018, a male employee used his access rights to spy on a female colleague’s videos, looking her up using her email address.

In February 2018, employee access rights were narrowed further, with engineers (both employees and third-party contractors) only given access to customer videos if there was a business need. Videos used for research and development were limited to those posted by customers to Ring’s Neighbors app, and those for which employees, contractors, and their friends and family had given their written consent for such use.

In Februrary 2019, Ring changed its access practices again so that most Ring employees or contractors could only access a customer’s private video with that customer’s consent.

The FTC lists several further examples of access abuse and spying. According to the complaint, Ring actually has no idea how much inappropriate access went on, because there were no detection measures in place:

“Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred.”

Bad apples aside, before May 2018 Ring also wasn’t conducting any employee training on privacy or data security, despite the fact that the company was collecting huge amounts of highly sensitive data. Nor did it advise employees or third-party contractors that customer video data was sensitive and should be treated as such.

Customers had no idea their video was able to be accessed by so many employees. The FTC says that before December 2017, Ring’s Terms of Service and Privacy Policy didn’t say Ring employees and contractors would have the right to review all video recordings for product improvement and development:

In the middle of lengthy terms dense with legalese, Ring merely described the company’s right to use recordings obtained in connection with Ring’s (then called Doorbot’s) cloud service for product improvement and development. 

The FTC says Ring also failed to implement basic security measures to protect users from threats such as credential stuffing and brute force attacks, despite warnings from employees and external security researchers, nor did it implement multi-factor authentication (MFA) until May 2019, long after many competitors had done so.

As a result of these bad practices, Ring suffered several security incidents. Between January 2019 and March 2020, the FTC alleges that more than 55,000 customers had their Ring devices compromised. In some instances cybercriminals used the two-way communication to terrorise Ring customers, like something from a horror movie:

• Several women lying in bed heard hackers curse at them
• Several children had racist slurs thrown at them
• An elderly woman in an assisted living facility was sexually propositioned and physically threatened
• A digital intruder told a woman through her camera that they had killed her mother, and then said: “Tonight you die”
• A woman was told her location was being tracked and that her device would self-destruct at the end of a countdown. She disconnected the device before the countdown ended.

Aside from the fine, Ring has been ordered to delete any customer videos and data collected from an individual’s face—known as “face embeddings”—that Ring obtained before 2018. Ring must also delete any work products it derived from the videos.

Children’s privacy

In a separate settlement announced the same day, Amazon agreed to pay $25 million for failing to protect children’s privacy. 

The Department of Justice filed the complaint and proposed settlement on behalf of the FTC. The complaint alleged that Amazon kept Alexa voice and geolocation information associated with young users for years while preventing parents from using their rights to delete their kids’ data under the Children’s Online Privacy Protection Act (COPPA) rule.

The FTC said in a post that kids’ speech patterns could have been especially valuable to Amazon since they differ from those of adults:

“Children’s speech patterns are markedly different from adults, so Alexa’s voice recordings gave Amazon a valuable data set for training the Alexa algorithm and further Amazon’s commercial interest in developing new products.”

Alongside the $25 million settlement, Amazon will be banned from using children’s voice information and geolocation data for creating or improving a data product. It must also delete inactive child accounts on Alexa, and notify users about the government action against the company and of its retention and deletion practices.

Additionally, Amazon will have to implement a privacy program to govern its use of geolocation information.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A series of security errors and mishaps has cost personal loan provider OneMain $4.25m in penalties, issued by the New York State department of financial services. The fines, coming at the end of a detailed investigation into how security practices at the company were determined to be below-par, serve as a timely warning to other organisations.

OneMain experienced “at least” three security incidents over three years, from 2018 to 2020. The business is a licensed lender and mortgage servicer and as SC Magazine notes, financial entities should adhere to a framework of security requirements. These requirements include that best practices are evident at all times to ensure both consumer data and internal systems are safe from harm. From the DFS release:

…OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500). OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.  

Unfortunately for OneMain, the New York State investigation highlighted several major issues which resulted in the eventual settlement. Going back to the release for some examples:

…OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.

Use of default passwords is bad enough, but SC Magazine also notes that a file containing passwords was stored in a folder named “PASSWORDS”. Add to this that access restrictions were not good enough, and you have a recipe for disaster.

The release continues:

The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events. 

Failing to have any sort of coherent strategy for software life cycles is never going to end well. Whether a business ignores Windows updates, or even maintaining security for bespoke setups and software, the possibility of falling victim to an attack can only ever go up as time passes.

So far we’ve seen issues with default passwords, data storage, and software life cycle management. This alone would be bad enough. However, the next issue pulled up as evidence of the fine-worthy practices may well be the worst of the bunch. We go once more to the release:

OneMain did not conduct timely due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor. OneMain further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls.

What this means is that OneMain worked with various third-party vendors without doing their due diligence in terms of potential security threats. This is despite many of the vendors being flagged as medium to high risk.

With all of this in mind, it’s perhaps easy to see why the New York State DFS started down the road to such a fine. Even so, The Record notes that OneMain reported $1.09 billion in revenue for the first quarter of 2023. While we can ponder if a few million in fines makes much of a difference overall, OneMain has agreed to “engage in further significant remediation measures”. It remains to be seen what the consequences will be should they not stick to the plan.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The US Cybersecurity and Infrastructure Security Agency (CISA) has an urgent message for US businesses: watch out for Volt Typhoon, a threat actor sponsored by the People’s Republic of China (PRC).

The agency’s joint Cybersecurity Advisory (CSA) published last week highlights a cluster of tactics, techniques, and procedures (TTPs) associated with the cyber actor—including their use of living off the land (LOTL) techniques.

In this blog, we’ll review Volt Typhoon, dig into how they evade detection, discuss CISA’s protective recommendations, and see how Malwarebytes EDR can help eliminate such threats.

Who is Volt Typhoon?

Given their ties to the Chinese government, it’s fair to label Volt Typhoon as an Advanced Persistent Threat (APT) group.

Well-funded and made up of an elite squadron of hackers, APT groups target high-value entities like governments, large corporations, or critical infrastructure. They often deploy multi-stage, multi-vector approaches with a high degree of obfuscation and persistence.

Volt Typhoon is no exception.

Since their arrival on the scene in mid-2021, Volt Typhoon has targeted several critical infrastructure organizations in Guam and elsewhere in the United States. Their victims come from a wide-range of industries, including communications, government, information technology (IT), education, and more.

Observed behavior suggests that the aim of Volt Typhoon is, like most APT groups, not a quick hit but a long-term presence within a system, allowing them to gather as much information as possible while remaining undetected.

Now that we know the basics of who Volt Typhoon is and what they’re after, let’s dive into the specifics of their tools, techniques, and procedures (TTPs).

How Volt Typhoon evades detection

At the heart of Volt Typhoon’s espionage campaigns are their use of living off the land (LOTL) attacks, which are instances when attackers leverage legitimate tools to evade detection.

The fact that so much of the CISA advisory revolves around Volt Typhoon’s use of LOTL techniques emphasizes that these types of threats are a serious concern. By mimicking normal system behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.

Script Block Logging records all blocks of code as they’re executed by PowerShell, which could you point to suspicious activity. Source.

Some of the built-in tools Volt Typhoon uses are wmic, ntdsutil, netsh, and PowerShell.

Let’s look at two examples of how Volt Typhoon uses LOTL attacks at different stages in the attack chain.

LOTL Example #1: Reconnaissance

Volt Typhoon gathers information about local drives using the wmic command, which is a part of the legitimate Windows Management Instrumentation (WMI) toolset.

This command line tool lets them gather details like drive letter, filesystem type, free space, and volume name without needing administrative privileges.

Understanding the storage layout and capacity of the host machine in this way can, for example, help them tailor their tools and techniques to the specific system.

cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename"

LOTL Example #2: Credential Access

Volt Typhoon attempts to capture two vital assets from Windows Domain Controllers (DCs): the ntds.dit file and the SYSTEM registry hive. Both of these contain a wealth of data, including user details, group affiliations, and encrypted passwords—all of which can be goldmines for unauthorized actors.

To access this information, they utilize the built-in Windows service called Volume Shadow Copy Service. This service helps them create clones of the ntds.dit file and the SYSTEM registry hive, both typically locked due to their importance.

These cloned copies allow Volt Typhoon to avoid modifying the original files, thereby maintaining stealth. By acquiring these files, the attackers can work towards decrypting passwords offline without raising alarms.

cmd /c vssadmin create shadow /for=C: > C:WindowsTemp<filename>.tmp

cmd /c copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.ditC:WindowsTemp > C:WindowsTemp<filename>.tmp

CISA best practices

Uncovering LOTL attacks such as the type that Volt Typhoon uses requires picking up on subtle anomalies or patterns in system behaviors.

Likewise, CISAs advice to businesses emphasizes the importance of enhancing detection of potential LOTL attacks through robust logging mechanisms, inspecting abnormal account activities, and more:

Malwarebytes EDR

Suspicious Activity monitoring with Malwarebytes can detect possible LOTL techniques like the type Volt Typhoon uses. Let’s take the the LOTL Example #2—Credential Access—we explained earlier.

As we described, the actor is trying to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking, which is an example of OS Credential Access defined as T1003 by MITRE.

Using Malwarebytes EDR, we can find suspicious activity like this and quickly isolate the endpoint with which it’s associated.

The “dumping” occurs when the `ntds.dit file` and the SYSTEM registry hive are copied from the original (and typically inaccessible due to being locked) location to the `C:WindowsTemp directory`. This process is effectively extracting or “dumping” the data into a new, more accessible location.

Luckily, Malwarebytes EDR alerted us to this suspicious process and, after investigation, we were able to remediate the endpoint with which the suspicious activity was associated with. 

Responding to nation-state sponsored attacks quickly and effectively

The recent information on Volt Typhoon’s activities has catapulted them to the top of cybersecurity concerns for businesses and organizations across the United States.

Sponsored by the Chinese state, Volt Typhoon employs a gamut of stealthy techniques that make their activities challenging to detect. Chief among these tactics is the use of Living Off the Land (LOTL) techniques and leveraging built-in tools—like wmic, ntdsutil, netsh, and PowerShell—for infiltration and persistence within target networks.

To combat these advanced persistent threats, businesses should pair CISA’s recommendations with tools like Malwarebytes EDR to identify and isolate the suspicious activities typical of LOTL attacks.

For organizations without the expertise to manage EDR solutions, Managed Detection and Response (MDR) services are also an attractive option.

MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to APT threats like Volt Typhoon quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.

Stop APT attacks today

On May 18, 2023, Apple published security content for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 that addressed a logic issue in libxpc.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE we are going to discuss is listed as CVE-2023-32369, which allows an app to modify protected parts of the macOS file system.

At the time there were no other details provided. This is usual and done to give users ample time to implement the necessary patches. But now Microsoft has published a blogpost that provides details about the vulnerability and how it was discovered during a routine malware hunt.

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If not, you can follow the instructions on how to update macOS on Mac.

libxpc is a closed source project that is part of XPC, which is the enhanced inter-process communication (IPC) framework used in macOS/iOS. In computer science, IPC refers specifically to the mechanisms an operating system provides to allow processes to manage shared data.

One of the security related functions of libxpc is System Integrity Protection (SIP). SIP is a security technology designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system. SIP is enabled by default on all modern macOS software releases.

This means that only certain processes—signed by Apple—have special entitlements to write to protected parts of macOS. This includes things like Apple software updates and Apple installers.

The Microsoft security engineers that are credited in the Apple security content however, found a flaw that allowed attackers with root permissions to add a malicious payload to SIP’s exclusions list and launch it. Because they managed to pull this off by abusing the macOS Migration Assistant utility, they named the vulnerability Migraine.

Successfully exploiting this vulnerability would allow an attacker that had somehow managed to obtain root privileges to install a rootkit which would be protected by SIP. SIP can only be disabled by following this procedure:

1. Restart your system in Recovery mode.
2. Launch Terminal from the Utilities menu.
3. Run the command csrutil disable.
4. Restart your system.

Because SIP is controlled through the Mac’s NVRAM, enabling or disabling SIP affects all versions of the Mac operating system that are installed on the system. NVRAM (nonvolatile random-access memory) is a small amount of memory that your Mac uses to store certain settings and access them quickly.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

On May 20, Barracuda Networks issued a patch for a zero day vulnerability in its Email Security Gateway (ESG) appliance. The vulnerability existed in a module which initially screens the attachments of incoming emails, and was discovered on May 19.

Barracuda’s investigation showed that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. A remote unauthenticated attacker could send a specially crafted archive to the appliance and execute arbitrary Perl commands on the target system. The affected versions of ESG are 5.1.3 – 9.2.

Consequently a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20. After further investigation a second patch was sent out on May 21, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-2868: CVSS score 9.4 out of 10. A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker could specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Barracuda says users whose appliances are believed to be impacted have been notified via the ESG user interface about the actions they need to take. It says it has also reached out to these specific customers. Updates will be posted to the product status page.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The due date for FCEB agencies for this vulnerability is June 16, 2023. CISA also warned that these types of vulnerabilities are frequent attack vectors for malicious cyberactors and pose a significant risks to the federal enterprise.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Last week on Malwarebytes Labs:

• Update now: 9 vulnerabilities impact Cisco Small Business Series
• ChatGPT: Cybersecurity friend or foe?
• Webinar recap: EDR vs MDR for business success
• Identity crisis: How an anti-porn crusade could jam the Internet, featuring Alec Muffett: Lock and Code S04E11
• Malvertising via brand impersonation is back again
• Update now! Apple issues patches for three actively used zero-days
• Google to pay $40m for “deceptive and unfair” location tracking practices
• Employee guilty of joining ransomware attack on his own company
• AI generated Pentagon explosion photograph goes viral on Twitter
• CISA updates ransomware guidance
• Webinar alert: How Coffee County Schools safeguards 7500 students and 1200 staff
• Tracking down a trojan: An inside look at threat hunting in a corporate network
• Rheinmetall attacked by BlackBasta ransomware
• “Beautiful Cookie Consent Banner” WordPress plugin vulnerability: Update now!
• Zyxel patches two critical vulnerabilities

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Zyxell has released a security advisory for multiple buffer overflow vulnerabilities. Exploitation of these vulnerabilities could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on the affected Zyxell firewalls.

Affected users should patch as a matter of urgency, and we urge you not to expose the management interfaces of network edge devices to the Internet, in order to reduce their attack surface.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-33009: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1.

CVE-2023-33010: Another buffer overflow vulnerability in the ID processing function in the same Zyxel firmware versions.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Both vulnerabilities received a CVSS score of 9.8 out of 10. In case that isn’t enough reason for you to act urgently, it is worth remembering that it only took four days for the first active exploitation to take place after Zyxel patched CVE-2022-30525 last year.

The security advisory lists the vulnerable firewall series that are within their vulnerability support period:

• ATP versions ZLD V4.32 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
• USG FLEX versions ZLD V4.50 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
• USG FLEX50(W) / USG20(W)-VPN versions ZLD V4.25 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
• VPN versions ZLD V4.30 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
• ZyWALL/USG versions ZLD V4.25 to V4.73 Patch 1 are covered by  ZLD V4.73 Patch 2.

How to install updates

Login to your ZLD appliance and go to Configuration → Licensing → Registration → Service and click the Service License Refresh button.  This must be done before you can access your myZyxel account to download new firmware patches. This will sync necessary info with the myZyxel server (info like running firmware version, MAC Address, S/N, etc.).

Open an internet browser and go to URL: https://portal.myzyxel.com/ and login to your account.

Once in your account dashboard, find the ZLD router you wish to download firmware for and click on the Download button under the “Firmware Update” column.

Once downloaded, there may be up to four ways you can update the firmware, you can update the firmware manually via the Web GUI, you can FTP into the router and upload the firmware, you can utilize the Automatic Cloud Firmware update feature introduced on firmware version 4.25, or upgrade via USB flash drive.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

WordPress plugins are under fire once more, and you’re advised to update your version of Beautiful Cookie Consent Banner as soon as possible. The plugin, which is installed on more than 40,000 sites, has been impacted by a “bizarre campaign”  being actively used since at least February 5 of this year.

The plugin is designed to present users with a cookie banner “without loading any external resources from third parties”. Sadly the cookie has crumbled with a flaw leaving sites open to the possibility of rogue JavaScript abuse.

The flaw was actually patched way back in January, but considering how long some folks can leave updates it’s going to take a while to have this one settle down. The best example of this update-related security drag is the fact that despite the plugin update, attacks are still in full flow. Researchers have observed:

3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023.

The plugin exploit is a cross-site scripting attack (XSS), a type of attack that injects malicious code into otherwise benign websites. Most XSS attacks require users to click on doctored links, and only work if they do, because the malicious code isn’t retained by the site being attacked. The vulnerability in the Beautiful Cookie Consent banner allows for the more dangerous stored XSS, in which an attacker causes the site to remember the malicious code and regurgitate it to all of its users.

The potential for mischief and mayhem with this kind of compromise is large. Perhaps someone could use scripts to redirect visitors to malware, or phishing pages, or even create malicious admin users. Maybe the rogue admin could add a phishing login page to the website itself, without the real admins knowing about it.

What’s interesting with this one, and perhaps why it’s being tagged as “bizarre”, is that the attack is misconfigured with attacks containing a “partial payload”. In essence, bits of JavaScript code are missing. As the researchers put it, the misconfigured exploit…

…expects a customised payload, and the attacker has simply failed to provide one.

Even so, they note that even in its misconfigured state it still has the potential to corrupt the configuration of the plugin so it will no longer work as expected. There is also the possibility of the individual(s) responsible adding in a functional payload at a later date.

The latest version of the plugin is 2.10.2. Anything below this is at risk of attack. If your site has been impacted by this vulnerability, once you upgrade patched versions will repair alterations made by said attack. If you think you might be at risk, or you’re unsure which version you’re running, now is the time to pop over to the plugin’s WordPress page and see if an update is required.

Attacks are ongoing, and will likely continue. Numbers have ramped up dramatically over the past month, so it would be best to lock your site plugins down now. In fact, it would probably be a good idea to check the update status of all of your site plugins. Why wait until you see the name of something you use appearing in a news article next month when you can get one step ahead of the game right now?

Keeping WordPress safe

The following preventative maintenance could save you a lot of trouble:

• Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
• Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
• Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
• Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW