Tag Archive for: Bypassed

Barracuda patch bypassed by novel malware from China-linked threat group


This audio is auto-generated. Please let us know if you have feedback.

Barracuda email security gateway devices were hit by a cyber espionage campaign from a China-nexus threat group that bypassed remediation efforts and continued unleashing attacks against high value targets, according to research Mandiant released Tuesday.

The threat group, listed as UNC4841, deployed sophisticated malware designed to maintain a presence inside a subset of certain high priority target organizations even after security updates were released for the Barracuda devices. 

Barracuda and Mandiant said they have seen no evidence of a successful exploit of the remote command injection vulnerability, CVE-2023-2868, since Barracuda released a patch on May 20.

Barracuda CISO Riaz Lakhani told Cybersecurity Dive that the patch fully addressed the zero-day vulnerability, and compromised appliances were given additional patches to address the actions of the threat actor.

“Out of an abundance of caution, Barracuda’s recommended remediation for any compromised appliance is replacement,” Lakhani said via email, noting that compromised customers were told to contact the company’s support line.

In June, Mandiant disclosed the hackers were involved in a massive cyber espionage campaign, where they leveraged the devices to send malicious email attachments to targeted government offices in the U.S. and abroad and private sector companies. 

Mandiant said many of the government targets in North America include state and local governments, judiciaries, law enforcement agencies, social services and several incorporated towns. Most of the observed compromises took place during the early months of the campaign, from October to December 2022.

The FBI issued a flash alert in late August warning users to isolate and replace affected Barracuda ESG devices, saying that hackers affiliated with the People’s Republic of China were continuing to exploit the devices. 

According to Mandiant, a…

Source…

Windows 10 And 11 Security Feature Alerts Bypassed By Attackers


Two zero-day vulnerabilities have been confirmed for Windows 10 and 11 users as the latest Patch Tuesday security update from Microsoft starts rolling out.

CVE-2022-44698 is one of two Zero-Day Windows vulnerabilities that have been fixed in the latest Microsoft Patch Tuesday security update. This vulnerability, which Microsoft confirms it has already detected being exploited, impacts most versions of Windows and sits within the SmartScreen security feature. Mike Walters, vice president of Vulnerability and Threat Research at Action1, warns that this “affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. The vulnerability has low complexity. It uses the network vector and requires no privilege escalation.”

Yet another Mark of the Web security issue for Windows users

Specifically, an attacker is able to create a file that can get around the Mark of the Web defense that is essential to features such as the protected view in Microsoft Office, for example. Windows SmartScreen checks for a Mark of the Web zone identifier to determine if the file being executed originates from the internet and, if so, performs a further reputational check. “An attacker with malicious content that would normally provoke a security alert could bypass that notification and thus infect even well-informed users without warning,” Paul Ducklin, writing for the Sophos Naked Security blog, said.

MORE FROM FORBESZero-Day Hackers Breach Samsung Galaxy S22 Twice In 24 Hours

Will Dormann, who is credited with disclosing the vulnerability in the Microsoft security update guide, has been warning of numerous Mark of the Web vulnerabilities for the past six months. Only last month, Microsoft patched CVE-2022-41091, which was a Mark of the Web vulnerability, also being actively exploited by attackers.

Microsoft provides confirmed three potential attack scenarios, but doesn’t provide any further detail of which the exploits it has seen in the wild are using. Those three scenarios are as follows:

  • A web-based attack using a malicious website
  • An email, or instant message, attack which…

Source…

Microsoft’s third mitigation update for Exchange Server zero-day exploit bypassed within hours


Microsoft has published its third update for its mitigation of an exploit abusing two zero-day vulnerabilities in Microsoft Exchange Server.

It marks the latest step towards providing a fix for the exploit, dubbed ‘ProxyNotShell’, in what has been a confusing week for system admins attempting to understand the threat.

Security researcher Kevin Beaumont highlighted on Friday that there is already a bypass for the Microsoft-provided mitigation. It means every one of the company’s attempts to prevent the exploit from harming customers has been circumvented within hours of publication.

The issue is in the way Microsoft’s signatures detect the exploit. Signatures monitor the w3wp.exe internet information services (IIS) module but for customers of Windows Server 2016 and above, w3wp.exe is excluded automatically by Exchange Server when IIS is installed.

“The only way to correct this is to turn off automatic exclusions,” he said, but Microsoft states explicitly in its documentation to not do this.

The original vulnerability disclosure for the ProxyNotShell exploit was atypical in nature and the information regarding potential fixes has been fragmented and confusing to follow for many. 

Discovered last week by security researchers at Vietnam-based company GTSC, the pair of zero-days has received a number of attempted fixes – the first of which was bypassed “easily”.

GTSC said in its report that it had noticed in-the-wild exploitation of both vulnerabilities for at least a month before publishing its findings.

The security issues are related to, but different from, the ProxyShell exploit which was developed in 2021 and are not protected by the patch Microsoft provided for ProxyShell that year. 

Tracked as CVE-2022-41040 and CVE-2022-41082, they each received a CVSSv3 severity score of 8.8/10. Microsoft Exchange versions 2013, 2016, and 2019 are affected.

Exploitation requires access to an authenticated user account but initial tests indicated that any email user’s account, regardless of the level of privileges they had, could be used to launch an attack. 

Microsoft Exchange Server customers are advised to monitor the official mitigation page and apply new ones as they become…

Source…

Windows MSHTML zero-day defenses bypassed as new info emerges


Microsoft

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor’s ultimate goal of taking over corporate networks.

This Internet Explorer MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, was disclosed by Microsoft on Tuesday but with few details as it has not been patched yet.

The only information shared by Microsoft was that the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 to download and install malware on an affected computer.

Since then, researchers have found the malicious Word documents used in the attacks and have learned new information about how the vulnerability is exploited.

Why the CVE-2021-40444 zero-day is so critical

Since the release of this vulnerability, security researchers have taken to Twitter to warn how dangerous it is even though Microsoft Office’s ‘Protected View’ feature will block the exploit.

When Office opens a document it checks if it is tagged with a “Mark of the Web” (MoTW), which means it originated from the Internet.

If this tag exists, Microsoft will open the document in read-only mode, effectively blocking the exploit unless a user clicks on the ‘Enable Editing’ buttons.

Word document opened in Protected View
Word document opened in Protected View

As the “Protected View” feature mitigates the exploit, we reached out to Will Dormann, a vulnerability analyst for CERT/CC, to learn why security researchers are so concerned about this vulnerability.

Dormann told BleepingComputer that even if the user is initially protected via Office’s ‘Protected View’ feature, history has shown that many users ignore this warning and click on the ‘Enable Editing’ button anyway.

Dormann also warns that there are numerous ways for a document not to receive the MoTW flag, effectively negating this defense.

“If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected…

Source…