3CX Supply Chain Attack
Deployed Linux vulnerability
Deployed Linux (Fedora, Ubuntu, and Debian) compromise
With the recent identified bug from CVE-2023-4911 CVSS 7.8, there is an issue within the GNU C Library (glibc) of Linux distributions. Specifically, default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13 are vulnerable to gaining full root privileges once exploited. Other Linux distributions may also be suspectable to this exploit, based on the glibc if being used.
When a system becomes compromised, the ‘bad-actor’ gains unrestricted access to all running programs, allocating shared libraries as well as linking them with the executable at runtime. In the process, the dynamic loader also resolves symbol references, such as function and variable references, ensuring that everything is set for the program’s execution. In summary gaining full control of operating system, running applications and ability to deploy any payload (malicious or otherwise) for their purpose.
IoT devices may also be at risk, depending on the Linux kernel being used within “custom operating systems”.
Fortunately, a patch was subsequently released on Oct. 3, with various Linux distributions — including Red Hat, Ubuntu, Upstream, Debian, and Gentoo all releasing their own updates.
Further details and reading : NVD – CVE-2023-4911 (nist.gov)
Analysis:
The fundamentals of cybersecurity still remain (establish visibility, conduct manageability and enforce security). It is paramount to have a deep understanding of your devices, operating system (and patch levels), running applications and network communication protocols / ports. Implementing a rigorous and sustainable inventory, patch-management and risk-management framework to promptly address business priorities. This is required to further safe guard a high confidence in cybersecurity posture all the while reducing surface attack area.
Understanding what’s ‘normal’ activity and behaviour allows you to identity the ‘abnormal’ behaviour, thus providing priority for focus of resources for attention (aka remediation) as required.
3CX Supply Chain Attack
Several security organisations (ESET, CrowdStrike, SentinelOne) have discovered malicious activity
Several security organisations (ESET, CrowdStrike, SentinelOne) have recently discovered malicious activity within a legitimate, signed binary from 3CX. The 3CXDesktopApp which is a softphone application from 3CX is presenting malicious activity where its making calls (beaconing) to threat-actor controlled infrastructure, deployment of second-stage payloads and in some instances hands-on keyboard activity. The current threat is considered a possible supply chain attack similar to that of the solarwinds incident a few years back and as of writing is still under the investigation of the vendor. The attack affects windows/Linux and mobile devices that have the 3CXDesktopApp installed.
Learn more here.
Barracuda Networks Identifies Critical Security Flaw
ESG devices vulnerable to malware due to critical flaw
In light of a critical security flaw that has been disclosed, Barracuda Networks is advising its customers to replace vulnerable email gateway appliances. The technology company, known for its security, networking, and storage products, is taking this unusual step due to the ongoing exploitation of a zero-day flaw by hackers since October.
Exploiting the identified vulnerability, tracked as CVE-2023-2868, hackers have been utilizing two types of malware named “Saltwater” and “SeaSpy” to establish a backdoor on susceptible Barracuda Email Security Gateway (ESG) appliances. This backdoor enables the exfiltration of sensitive corporate data. ESG products function as email firewalls, filtering inbound and outbound emails for potentially malicious content.
Affected customers will have received an “action notice” with advise to change credentials linked to affected devices. Additionally, customers are urged to conduct a comprehensive investigation of their networks, looking for any indications of compromise that may have occurred since at least October 2022
Source: Barracuda Email Security Gateway Appliance (ESG) Vulnerability
MOVEit RCE Bug Prompts Data Theft Attacks
Critical flaw gives attackers access to unpatched MOVEit servers
Proof-of-concept (PoC) exploit code for a remote code execution (RCE) vulnerability in the MOVEit Transfer managed file transfer (MFT) solution, which has been exploited by the Clop ransomware gang in data theft attacks, has been released by security researchers from Horizon3.
A critical flaw, identified as CVE-2023-34362, has been discovered in the MOVEit servers, allowing unauthenticated attackers to exploit an SQL injection vulnerability. This vulnerability grants unauthorized access to unpatched MOVEit servers and enables the execution of arbitrary code remotely.
These are already being actively exploited and attacks have happened. There have been over 270 impacted organisations and 33 data leaks.
Latitude Financial Discloses It’s Breach Will Cost $105 Million
Cyber update from latitude financial reveals a large loss as result of cyber attack
Quick run-down of some interesting cyber security news from this week: Latitude recently disclosed its breach will likely cost the company in the order of 105 million AUD. All stemming from the leak of a third party privileged access to their systems. Auto Rotating of passwords and MFA are still major mitigating actions all companies should deploy to defend against these type of breaches.
For more information, see the official media release: latitude-asx-guidance-and-update.pdf (latitudefinancial.com)
FortiOS/FortiProxy Critical Vulnerability
A stack-based overflow vulnerability allowing remote attackers to execute arbitrary code or commands
FortiOS and FortiProxy are susceptible to a stack-based overflow vulnerability, categorized as CWE-124. This vulnerability presents a potential for remote attackers to execute arbitrary code or commands. The exploit occurs through crafted packets that target proxy policies or firewall policies operating in proxy mode in conjunction with SSL deep packet inspection.
Workaround:
Disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.
Example with custom-deep-inspection profile:
config firewall ssl-ssh-profile
edit “custom-deep-inspection”
set supported-alpn http1-1
next
end
Affected Products:
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.9
Products NOT affected:
FortiOS 6.4 all versions
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiProxy 2.x all versions
FortiProxy 1.x all versions
Solutions:
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiProxy version 7.2.3 or above
Please upgrade to FortiProxy version 7.0.10 or above
Source: PSIRT Advisories | FortiGuard
If you have any questions regarding the above vulnerability please contact your partner account manager.
Citrix NetScaler ADC and NetScaler Gateway Vulnerability
Vulerability affecting Citrix NetScaler ADC and NetScaler Gateway vulnerability
A Citrix NetScaler ADC and NetScaler Gateway vulnerability for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 has been identified, which could allow a malicious actor to remotely execute code without authentication.
Affected versions are:
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297
How to mitigate:
Organisations using Citrix NetScaler ADC and Netscaler Gateway should update to the latest versions as soon as they can.
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Source: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
