Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous, SOC Analyst.
Top stories – 9th June 2023
- Urgent Security Updates: Cisco and VMware Address Critical Vulnerabilities
- Barracuda Urges Immediate Replacement of Hacked ESG Appliances
- Outlook.com hit by outages as hacktivists claim DDoS attacks
- Google fixes new Chrome zero-day flaw with exploit in the wild
- Verizon DBIR: Social Engineering Breaches Double, Leading to Spiraling Ransomware Costs
Urgent Security Updates: Cisco and VMware address critical vulnerabilities
- Critical vulnerabilities found in VMware Aria Operations for Networks can disclose information and allow remote code execution
- Apply the security updates promptly, as there are no workarounds available
- Cisco suggests disabling CLI access for read-only users, and RenderDoc has addressed its own security flaws
VMware has released security updates to address three vulnerabilities discovered in Aria Operations for Networks. These vulnerabilities have the potential to lead to information disclosure and remote code execution. The most critical vulnerability, known as CVE-2023-20887, has a CVSS score of 9.8 and involves a command injection vulnerability. It allows an attacker with network access to remotely execute code. Another vulnerability, CVE-2023-20888, rated 9.1 on the CVSS scoring system, is a deserialization vulnerability that enables a malicious actor with network access and valid “member” role credentials to perform a deserialization attack, resulting in remote code execution. The third vulnerability, CVE-2023-20889, with a CVSS score of 8.8, is an information disclosure bug. It permits an attacker with network access to perform a command injection attack and gain access to sensitive data.
These vulnerabilities impact VMware Aria Operations Networks version 6.x. The company has addressed these issues in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. Unfortunately, there are no workarounds available to mitigate these vulnerabilities, highlighting the importance of applying the updates promptly.
Cisco recommends disabling command-line interface (CLI) access for read-only users as a workaround for CVE-2023-20192. The vulnerabilities have been addressed in VCS versions 14.2.1 and 14.3.0.
While there is currently no evidence of these vulnerabilities being exploited in real-world attacks, it is crucial to apply the provided patches as soon as possible to mitigate potential risks. Additionally, RenderDoc, an open-source graphics debugger, has also addressed security flaws (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865) that could allow an attacker to gain elevated privileges and execute arbitrary code.
Barracuda urges immediate replacement of hacked ESG appliances
- Replace affected Barracuda ESG appliances immediately due to critical zero-day flaw (CVE-2023-2868)
- Exploited for 7 months, flaw allows remote code injection in versions 5.1.3.001 to 9.2.0.006
- Flaw led to customized malware, data theft, and multiple malware families discovered
Barracuda, an enterprise security company, is urging customers affected by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to replace them immediately. The company stated that impacted ESG appliances should be replaced regardless of the patch version level. Barracuda’s recommended remediation at this time is a full replacement of the affected ESG devices.
The critical flaw, identified as CVE-2023-2868 with a CVSS score of 9.8, has been exploited as a zero-day vulnerability for at least seven months since October 2022. The vulnerability involves remote code injection and affects versions 5.1.3.001 through 9.2.0.006. It arises from incomplete validation of attachments in incoming emails. Barracuda addressed the vulnerability on May 20 and May 21, 2023.
The exploit of this flaw has been used to deliver customized malware and steal data. Three distinct malware families associated with the exploitation have been discovered so far. These malware variants possess various capabilities, including uploading or downloading arbitrary files, executing commands, establishing persistence, and establishing reverse shells to a server controlled by the threat actor.
The full extent of the incident is still unknown. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that federal agencies apply the fixes for this vulnerability by June 16, 2023.
Outlook.com hit by outages as hacktivists claim DDoS attacks
- Outlook.com experiences DDoS attacks by Anonymous Sudan, causing disruptions
- Microsoft addresses the issues but faces ongoing attacks and technical issues
- Anonymous Sudan demands $1,000,000 to stop the assaults and taunts Microsoft
Outlook.com, the email service provided by Microsoft, has experienced a series of outages, including multiple disruptions yesterday and continued issues today. Hacktivists identifying themselves as Anonymous Sudan have claimed responsibility for performing Distributed Denial of Service (DDoS) attacks on the service.
Yesterday’s outages caused significant disruptions for global Outlook users, impacting their ability to access or send emails and use the mobile Outlook app. Frustrated users took to Twitter to express their complaints about the intermittent email service, noting the negative impact on their productivity.
Microsoft has attributed these outages to technical issues and provided updates on Twitter, indicating that they have applied mitigations but subsequently acknowledged the problem reoccurring. They stated that they are working on further mitigations to address the situation.
Meanwhile, Anonymous Sudan has claimed responsibility for the outages, stating that they are conducting DDoS attacks on Microsoft as a protest against the US involvement in Sudanese internal affairs. The group warned that they can target any US company and expressed their intention to continue targeting large US companies, government entities, and infrastructure. They have taunted Microsoft in statements regarding the repeated DDoS attacks on Outlook and Microsoft 365 services.
In a provocative message, the group suggested that Microsoft pay them $1,000,000 USD to teach their cybersecurity experts how to repel the attacks and stop the assault from their end.
The situation remains ongoing, with Outlook.com users experiencing intermittent service disruptions while Microsoft and relevant authorities work to address the technical issues and respond to the DDoS attacks.
Google fixes new Chrome zero-day flaw with exploit in the wild
- Google releases security update for Chrome to address third zero-day vulnerability
- Users should promptly update Chrome to the latest version (114.0.5735.110 for Windows, 114.0.5735.106 for Mac and Linux) to mitigate potential risks
Google has released a security update for its Chrome web browser to address a third zero-day vulnerability that hackers have exploited this year. The company acknowledged the existence of an exploit for the vulnerability, identified as CVE-2023-3079, and classified it as a high-severity issue. However, Google has not provided specific details about the exploit or the attacks it was used in, following its usual practice of withholding technical information to protect users until they have updated to a secure version of the browser.
Zero-day vulnerabilities are often exploited by sophisticated state-sponsored threat actors, primarily targeting high-profile individuals in government, media, or other critical organizations. Therefore, it is strongly recommended that all Chrome users install the available security update as soon as possible.
The update, version 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux, will be rolled out gradually over the coming days and weeks. Users can manually initiate the update process by accessing the Chrome settings menu, selecting Help, and then About Google Chrome. Relaunching the application is necessary to complete the update. Alternatively, Chrome will automatically install available security updates when the browser starts without requiring user intervention. Users should check the “About” page to ensure they are running the latest version.
Verizon DBIR: Social engineering breaches double, leading to spiraling ransomware costs
- 74% of data breaches involved human error, highlighting the importance of employee security
- Social engineering incidents doubled, accounting for 17% of breaches
- Ransomware attacks represent 24% of breaches, emphasizing the need for improved security measures
According to Verizon’s 2023 Data Breach Investigations Report (DBIR), 74% of data breaches in the past year involved the human element. These breaches were mainly caused by employees falling for social engineering attacks, making errors, or misusing their access maliciously. Social engineering incidents have nearly doubled since last year, accounting for 17% of all breaches. The report highlights the need for organizations to prioritize cybersecurity fundamentals and employee security hygiene. Implementing true multifactor authentication and fostering collaboration on threat intelligence across organizations are also crucial. Financially motivated external attackers, particularly using phishing and pretexting techniques, dominated the social engineering landscape. Ransomware attacks have not reached a saturation point and continue to grow, representing 24% of all breaches. Ransomware remains a significant concern, with financial motives driving 94.6% of breaches and 59% of breaches involving ransomware. Organizations should focus on improving security hygiene, implementing strong multifactor authentication, and forming cybersecurity partnerships to combat the rising tide of ransomware and breaches.