MOVEit users extorted, Barracuda bitten and GoAnywhere woes not going anywhere
Zeshalyn Capindo / Unsplash
Welcome to Changelog for 6/11/23, published by Synack! Nathaniel Mott here, emerging from the smoke of Ottawa’s wildfires with the week’s security news. A quick programming note: We will not be publishing next week as we honor the Juneteenth holiday.
The payload
Companies rarely say the only way to solve a problem with a product is to kill it with fire — but that’s pretty much what Barracuda told owners of its email security gateway (ESG) appliances to do on June 6.
Barracuda said in a security advisory that it was “alerted to anomalous traffic originating from” its ESG appliances on May 18. It patched the problem on May 20, and published the relevant advisory on June 1, but on June 6 it updated the document with the following message: “ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com). […] Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
I’ve read a few security advisories over the past decade, and this might be the most dire update I’ve seen to date. That isn’t to say this is the most impactful vulnerability discovered within that time, but companies rarely see a given flaw worthy of an “action notice” presented in a bright red font, and usually there are more options for remediating the risks posed by a vuln than simply replacing the product entirely. (Especially since Barracuda hasn’t explained why that level of precaution is necessary!)
I wasn’t the only one surprised by Barracuda’s latest update. “The pivot from patch to total replacement of affected devices is fairly stunning,” Rapid7 senior manager of vulnerability research Caitlin Condon said in a blog post, “and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access.”
I’m with “0xabad1dea” on this one — the attackers responsible for so thoroughly owning Barracuda’s ESG appliances ought to publish their own blog post explaining how they did it. In the meantime, anyone who relies on these products has been told to search their networks for indicators of compromise dating back to October 2022. Additional information is available via Barracuda’s security advisory.
The week, compiled
A vulnerability in Progress Software’s MOVEit Transfer remained top-of-mind last week, partly because the Cl0p ransomware gang issued an ultimatum to organizations it compromised via the flaw to start negotiations by June 14. But MOVEit was also still making waves because of the discovery of a second vulnerability in the file transfer tool.
Huntress said on June 5 that it had successfully “recreated the attack chain exploiting MOVEit Transfer software” and, in the process, learned that the initial vulnerability can be exploited to achieve arbitrary code execution on systems running the software in addition to providing access to private data. That aspect of the flaw has since been split into its own, separately tracked vulnerability in MOVEit Transfer.
“In addition to the ongoing investigation into vulnerability (CVE-2023–34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers” Progress said in a June 9 update to its original security advisory. “As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit.”
Cl0p doesn’t appear to have taken advantage of this capability; so far it seems to have contented itself with exfiltrating data from its victims’ networks rather than deploying ransomware. The group did something similar earlier this year when it compromised organizations via a flaw in Fortra’s GoAnywhere tool — more on that later — which suggests it’s shifting towards a straightforward hack-and-leak model. (Progress said it hasn’t seen any evidence of other threat actors exploiting this new vuln, either.)
The Cybersecurity and Infrastructure Security Agency and the FBI released a Joint Cybersecurity Advisory on June 7 to provide organizations with additional information associated with Cl0p’s exploitation of the flaws in MOVEit Transfer and GoAnywhere. CrowdStrike has also shared a method of detecting what data may have been compromised by the vulnerability in MOVEit Transfer. As for defending against the new vulnerability, Progress said all MOVEit Transfer users should install new updates via its website.
Also from last week:
CyberScoop: It turns out Twitter can still be useful for shaking big companies into action, as Chris Plummer discovered when Google reassessed the severity of a problem with its Brand Indicators for Message Identification program — one that allowed scammers to impersonate well-known businesses — after his tweets about the flaw went viral. Google originally said the system was working as intended; now it’s planning to fix the problem.
Ars Technica: The FBI said last week that “sextortion” scams — in which cybercriminals create “deepfake” videos of their victims having sex then demand a ransom in exchange for not posting the video publicly — are on the rise. (Teen Vogue also reported on how some victims of these scams are looking to secure federal protections against this kind of attack.)
WSJ: The Chinese government is still unhappy about the AirDrop file-sharing feature built into Apple’s devices, according to The Wall Street Journal, which reported that Beijing is considering new legislation that would require AirDrop and similar services to “undergo a security assessment” and force users to “register details of their identities with the service providers.”
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
The Office of Personnel Management said on June 4, 2015 that it had “detected a cyber-intrusion” and planned to “send notifications to approximately 4 million individuals whose [personal identifiable information] may have been compromised” as a result. A month later we learned that the number of affected people was closer to 22.1 million — and that OPM had actually suffered multiple breaches.
Wired reported that the documents stolen via this breach included “127-page SF-86 forms” that feature “financial information, detailed employment histories — with reasons for past terminations included — as well as criminal history, psychological records and information about past drug use.” That information could easily be used to impersonate someone, blackmail them or assist with phishing attacks against them.
CSO Online said in 2020 that investigators hadn’t discovered a “smoking gun” that could be used to attribute the OPM hack to a specific group, the “overwhelming consensus is that OPM was hacked by state-sponsored attackers working for the Chinese government,” due to a combination of how the attack was carried out and previous attempts by the Chinese government to steal information about Americans.
Either way, incredibly personal information about 22.1 million people has been compromised for the last eight years, and that’s likely to stay in the back of their minds for decades to come.
Local files
TechCrunch: Companies are still assessing the fallout of attacks on the Fortra GoAnywhere file-transfer software, with healthcare payment services provider Intellihartx disclosing this week “that 489,830 patients” had their “names, addresses, dates of birth and Social Security numbers,” as well as their billing information, diagnoses and other data, compromised during a ransomware attack earlier this year.
BleepingComputer: A pharmaceutical company called Eisai, which “develops and produces medication for various forms of cancer and the treatment of chemotherapy side effects, as well as anti-seizure, neuropathy, and dementia drugs,” said a ransomware attack had affected its operations.
The Record: The University of Manchester said on Friday that it was “the victim of a cyber incident” — lately the phrase of choice for organizations affected by a ransomware attack that don’t want to say they were affected by a ransomware attack — and that data was likely exfiltrated from its network. (The university didn’t offer additional information about what kinds of data were affected.)
Off-script
It’s been a hell of a week. Apple finally revealed its long-rumored augmented reality goggles at its annual developers conference, Trump was indicted for mishandling classified files and I got to watch the world around me transform into a recreation of “Blade Runner: 2049” as wildfires in Ottawa blanketed the U.S. But I’d like to dwell on some unrelated — yet still momentous — news: The death of “ducking.”
NPR reported on June 7 that Apple’s software keyboards will stop automatically correcting swear words — the most famous example of which the outlet was forced to describe as “a certain four-letter expletive […] replaced immediately by the rhyming name of a species of waterfowl” due to its style guide — as part of a broader effort to make the iPhone and iPad’s autocorrect feature more useful.
I’ll believe Apple’s claims about smarter autocorrect when I get my thumbs on iOS 17’s software keyboard later this year. But even if the only change is that I can actually type what The New York Times would call my favorite “saltier,” “unprintable” and “four-letter” expletive without having to delete its mallard-damned replacement and retype it, well, I’ll count that as a ducking win for the folks in Apple’s operating system division.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you June 25!