Tag Archive for: flaw

Alert: Chinese Threat Actors Exploit Barracuda Zero-Day Flaw

/in


In recent developments, Barracuda, a prominent network and email cybersecurity firm, has been grappling with a zero-day vulnerability. The vulnerability has been identified as CVE-2023-7102 in its Email Security Gateway (ESG) appliances. The situation has been exacerbated by the active exploitation of this flaw by a Chinese hacker group known as UNC4841 Chinese. In this blog, we’ll look into the Barracuda zero-day flaw, exploring its intricacies and the consequential impact on cybersecurity.


The Barracuda Zero-Day Flaw

 

The root cause of the Barracuda ESG appliances vulnerability lies in a weakness within the Spreadsheet::ParseExcel third-party library, integral to the Amavis virus scanner running on Barracuda ESG appliances. The flaw enables threat actors to execute arbitrary code on vulnerable ESG devices through parameter injection.

 

Barracuda Zero-Day Flaw Exploited By Chinese Hackers

 

UNC4841 leveraged this Arbitrary Code Execution (ACE) vulnerability to deploy a meticulously crafted Excel email attachment, exploiting the Spreadsheet::ParseExcel library. As a result, a limited number of ESG devices fell prey to the attack, giving rise to cybersecurity threats in ESG appliances

Barracuda responded swiftly by deploying a patch on December 22, 2023, to remediate compromised ESG appliances, which exhibited indicators of compromise linked to new variants of SEASPY and SALTWATER malware.

In the ongoing investigation of the Barracuda zero-day flaw, the organization assured customers that no immediate action is required. They also emphasized their commitment to resolving the issue and ensuring the security of ESG appliances.

 

CVE-2023-7101: A Wider Concern


Notably, Barracuda has filed CVE-2023-7101 for a vulnerability in the open-source library, impacting various products across multiple organizations. As of now, this concern remains unaddressed, adding an extra layer of urgency to the cybersecurity landscape.


A Recap of May’s Security Warning


These zero-day exploits in network security devices aren’t the first time Barracuda has faced cybersecurity challenges. In May, the company issued a warning to customers about breaches in some of its Email Security Gateway…

Source…

Exploit Code Available For Zero-Day IE Flaw

/in


vulnerability download

Symantec security researchers published proof-of-concept code detailing the exploit on the BugTraq security mailing list over the weekend. To launch a successful attack, hackers could install malicious code on users’ PCs by enticing potential victims to either click on a malicious link leading to a specially crafted Web page or by visiting an existing site infected with the exploit. Hackers typically lure victims to infected sites through some social engineering scheme conducted over e-mail.

Security researchers say that the exploit thus far appears to only affect IE 6 and 7 on Windows XP and Vista but could possibly affect other versions of both IE and Windows. Microsoft’s latest IE 8 browser does not appear to be affected by the flaw.

Specifically, the IE bug occurs in the way IE uses cascading style sheet (CSS) information, which ultimately enables hackers to inject the exploit into otherwise legitimate Web sites, according to reports from Symantec. CSS is a function used in Web sites to define the presentation of the site’s content.

So far, the exploit has exhibited signs of poor reliability, but Symantec researchers said in a blog that they expect hackers to develop a fully functional version of the attack in the near future.

Meanwhile, Symantec researchers advise users to disable JavaScript until Microsoft releases a fix for the bug. Symantec experts also recommend that in general users should keep their antivirus software up-to-date and only visit known and trusted Web sites to stay protected from future attacks.

Source…

Critical Bluetooth flaw could take over Android, Apple, Linux devices

/in


A critical Bluetooth security bug that’s reportedly been lurking about for several years can potentially be exploited by attackers to take control of Android, Linux, macOS, and iOS machines.

The flawCVE-2023-45866 — is an authentication bypass that lets attackers connect susceptible devices and inject keystrokes to achieve code execution as the victim.

In a GitHub blog post Dec. 6, SkySafe researcher Marc Newlin said the flaw works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation.”

Newlin went on to write that the underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. He said full vulnerability details and proof-of-concept scripts will be released at an upcoming conference, and he will update the original document with conference details when available. Newlin’s blog also contains available patch information.

Cyware Director Emily Phelps explained that in this exploit, adversaries fool the Bluetooth system of a device into thinking it’s connecting to a fake keyboard — without user confirmation. This issue stems from a part of the Bluetooth rules that let devices connect without needing authentication.

“Exploiting this vulnerability lets malicious hackers remotely control someone’s device,” said Phelps. “They can download apps, send messages, or run various commands depending on the operation system.”

Phelps said if patches are available for this vulnerability, security teams should fix the issue immediately. For devices that are awaiting the fix, security teams should monitor for updates and patches. They should also make staff aware of the issue and offer mitigation recommendations, such as disabling Bluetooth when not in use.

When devices communicate there’s first a “handshake” where the two systems agree to communicate with each other, explained John Gallagher, vice president of Viakoo Labs. What the attacker took advantage of, Gallagher continued, is the many IoT devices, such as Bluetooth keyboards, want to make that handshake as easy as possible, especially since the keyboard can’t be used until the…

Source…

Lace Tempest Exploits SysAid Zero-Day Flaw

/in


In a recent revelation, SysAid, a leading IT management software provider, has unveiled a critical security threat affecting its on-premises software. The threat actor, identified as DEV-0950 or Lace Tempest by Microsoft, previously linked to the notorious Clop ransomware group, is now exploiting a zero-day vulnerability labeled CVE-2023-47246. This vulnerability, if left unaddressed, can pave the way for unauthorized access and control over systems, posing a substantial risk to organizations. In this blog post, we’ll uncover the SysAid Zero-Day flaw and will shed light on possible mitigation measures.


The Emergence of Lace Tempest Cyber Threat


SysAid, in a blog post, disclosed the active exploitation of a path traversal zero-day vulnerability by Lace Tempest. This revelation follows Microsoft’s early detection of the exploitation, prompting immediate action from SysAid. The gravity of the Lace Tempest cybersecurity

had earlier orchestrated widespread attacks on MoveIT Transfer product users, affecting numerous organizations, including U.S. government agencies.


Cybersecurity News Lace Tempest


On November 2, Microsoft detected the exploitation of the SysAid vulnerability and promptly reported it to SysAid. The threat actor, Lace Tempest, was swiftly identified as the orchestrator behind the malicious activity. The association with Clop ransomware raised concerns, considering Lace Tempest’s involvement in previous attacks that involved data theft and ransom threats.


SysAid Zero-Day Flaw Mechanism


SysAid shed light on the intricacies of the zero-day exploit in SysAid orchestrated by Lace Tempest. The threat actor employed PowerShell to obfuscate their actions, making it challenging for incident response teams to investigate effectively. The modus operandi involved uploading a WebShell-containing WAR archive into the webroot of the SysAid Tomcat web service. This, in turn, granted unauthorized access and control over the compromised system.


SysAid’s Urgent Advisory


The SysAid security update revealed the urgency to take immediate action by upgrading to the fixed version 23.3.36. The company emphasized the need for users to proactively search for indicators of compromise…

Source…