Cyber Security Briefing, 5 – 9 June
Barracuda warns of immediate replacement of compromised ESG appliances
Security firm Barracuda has issued a warning in which it is urging organisations affected by the 0-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) appliances to replace them completely. Although it has been patched and the attackers’ access to the compromised devices has been removed, the company’s recommendation is to immediately replace the affected devices, regardless of the version of the patch installed. The exact scope of the incident is still unknown.
The vulnerability, which has been exploited for at least seven months, allows remote code injection into incoming email attachments, installing custom malware, uploading, or downloading files, executing commands, establishing persistence and setting up reverse shells on a server controlled by a malicious actor. Affected users have already been notified via the ESG user interface. Barracuda urges organisations that have not yet replaced their devices to contact support urgently by email.
Joint CISA and FBI Advisory regarding CLOP ransomware
As part of the #StopRansomware campaign, CISA and the FBI have jointly issued an alert including new tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with the CLOP ransomware. The advisory highlights the group’s exploitation of CVE-2023-34362, a 0-day vulnerability in MOVEit Transfer, to execute a webshell called LEMURLOOT on victims to steal data.
CLOP, in a statement on its TOR network website, acknowledged that this vulnerability has compromised hundreds of companies and that it is giving those affected until 14 June to contact them and begin ransom negotiations. If they do not reach an agreement within 72 hours of the start of negotiations, they will publish the data.
Also, Kroll researchers discovered evidence of similar activity was found in logs of affected customers in the past, indicating that threat actors were testing access and data mining on compromised MOVEit Transfer servers since at least 2021.
Critical vulnerability in Cisco products
The company Cisco has issued several security advisories to correct up to a total of 8 vulnerabilities, 2 of which are classified as critical, 3 as high risk and 3 as medium risk. Among the most critical security flaws are those affecting the Cisco Expressway Series and Cisco TelePresence Video Communication Server products, which have been registered as CVE-2023-20105 and CVE-2023-20192. Regarding the first vulnerability, it derives from the incorrect handling of password change requests, which would allow an attacker to alter the passwords of any user on the system.
As for the second, it could allow a local, authenticated attacker to execute commands and modify system configuration parameters. Cisco says there is no evidence that these vulnerabilities have been exploited, but recommends that users update their assets as soon as possible to mitigate these security flaws.
New Chrome security update
Google has issued a security update for its Chrome browser in which it addresses two security updates, one of which is classified as highly critical. This security flaw was identified by security researcher Clément Lecigne on 1 June 2023, being registered as CVE-2023-3079, and still pending CVSS. It is a vulnerability in V8 that would allow a remote attacker to create an HTML page that triggers privilege escalation and execute arbitrary code.
It should also be noted that Google has indicated that it is aware that an exploit for this vulnerability exists. This security flaw has been fixed with the update in versions 114.0.5735.106 on Mac and Linux devices and 114.0.5735.110 for Windows.