InfoSec Weekly

May 29, 2023

Table Of Contents

Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances

Description

Barracuda, a mail protection, and network security provider has alerted users about a zero-day vulnerability that allowed unauthorized access to their Email Security Gateway (ESG) appliances. The flaw, tracked as CVE-2023-2868, is a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. It stems from incomplete sanitization of .tar files, enabling remote attackers to execute system commands with ESG’s privileges. Barracuda released patches on May 20 and 21, and evidence of active exploitation was found. The company has contacted affected users and advised them on remedial actions. Barracuda encourages customers to review their environments and assures ongoing monitoring.

Infected Technology

Barracuda

Source

https://thehackernews.com/2023/05 barracuda-warns-of-zero-day-exploited.html

Recommendation

• Ensure that you have installed the patches released by Barracuda on May 20 and 21. • Continuously monitor security advisories and updates from Barracuda and other trusted sources. Stay informed about emerging threats, vulnerabilities

CVE ID

CVE-2023-2868


New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets

Description

Bandit Stealer, a new malware known for its ability to target web browsers and cryptocurrency wallets, has drawn the attention of cybersecurity researchers. Developed using the Go programming language, it has the potential for cross-platform compatibility. Currently focused on Windows, the malware exploits the runas.exe command-line tool to gain administrative access and evade security measures. Bandit Stealer incorporates sandbox detection and terminates blocklisted processes to conceal its presence. It modifies the Windows Registry for persistence and collects personal and financial data from web browsers and crypto wallets. The malware is distributed through phishing emails with a dropper file disguised as a harmless Word attachment. Another discovery by Trend Micro involves a Rust-based info stealer using a GitHub Codespaces webhook to steal browser credentials and other sensitive information. The prevalence of commodity stealer malware, like Luca and StrelaStealer, distributed through spam emails and fake software versions, is also noted. The operators behind these malware strains can exploit stolen data for identity theft, financial gain, data breaches, credential stuffing attacks, and account takeovers. It is crucial to implement robust security measures, educate users about phishing, and exercise caution when downloading software to mitigate these risks.

Infected Technology

Web Browsers and Cryptocurrency Wallets

Source

https://thehackernews.com/2023/05/new-stealthy-bandit-stealer-targeting.html

Recommendation

• Regularly update operating systems, applications, and security software to ensure the latest patches. • Utilize robust email filtering systems to block phishing emails and malicious attachments, reducing the risk of users inadvertently launching malware droppers.


QBot malware abuses Windows WordPad EXE to infect devices

Description

The QBot malware campaign has taken advantage of a vulnerability in the Windows 10 WordPad program, using DLL hijacking to discreetly infect computers and evade detection from security software. Initially functioning as a banking trojan, QBot, also known as Qakbot, has transformed into a malware dropper employed by ransomware groups such as Black Basta, Egregor, and Prolock to gain initial entry into corporate networks for extortion-based attacks. According to security researcher ProxyLife, a recent QBot phishing campaign exploited a DLL hijacking vulnerability present in the Windows 10 WordPad executable, write.exe. Although the specific phishing emails were not observed, they included a link for file download. Upon clicking the link, a ZIP archive containing two files, document.exe (the WordPad executable) and a DLL named edputil.dll (used for DLL hijacking), would be downloaded. When document.exe is launched, it attempts to load the authentic DLL called edputil.dll, typically located in the C:\Windows\System32 folder. However, it fails to check that specific folder and instead loads any DLL with the same name from the same directory as the executable. This allows threat actors to engage in DLL hijacking by replacing the legitimate edputil.dll with a malicious version in the identical folder. Once the DLL is loaded, the malware employs C:\Windows\system32\curl.exe to retrieve a DLL disguised as a PNG file from a remote host. Subsequently, this PNG file, which is a DLL, is executed using rundll32.exe with the following command: “rundll32 c:\users\public\default.png,print”QBot then operates silently in the background, pilfering emails for future phishing attacks and acquiring additional payloads like Cobalt Strike—a post-exploitation toolkit employed by threat actors to gain control over the compromised device.

Infected Technology

Windows Operating System

Source

https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/

Recommendation

• Deploy intrusion detection and prevention systems (IDPS) to monitor network traffic for suspicious activities and indicators of compromise.


Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data

Description

A recently revealed security vulnerability has been uncovered in Google Cloud Platform’s (GCP) Cloud SQL service, posing a potential risk of unauthorized access to sensitive data. According to Dig, an Israeli cloud security firm, the vulnerability could have allowed an attacker to elevate their privileges from a basic Cloud SQL user to a sysadmin with full control over containers. This would grant them access to internal GCP data, including secrets, sensitive files, passwords, and customer data. Cloud SQL is a managed solution for creating MySQL, PostgreSQL, and SQL Server databases in cloud-based applications. Dig identified a multi-stage attack chain that exploited a security gap associated with SQL Server in the cloud platform, enabling the attacker to escalate their privileges to an administrator role. With the elevated permissions, the attacker could exploit another critical misconfiguration to gain system administrator rights and assume complete control of the database server. This would enable them to access all files on the underlying operating system, perform file enumeration, and extract passwords, potentially serving as a launching point for further attacks.

Infected Technology

Google

Source

https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.html

Recommendation

• Update security patch to address the identified vulnerability in the Cloud SQL service


Industrial automation giant ABB disclosed data breach after ransomware attack

Description

T ABB, a Swiss multinational company and a leader in electrification and automation technology, experienced a cyber attack on May 7, 2023, impacting its business operations. The attack, reportedly carried out by the Black Basta ransomware group, affected ABB’s Windows Active Directory and infected numerous devices. Some projects were delayed, and certain company factories were impacted. Notably, Black Basta did not disclose the company’s name on its leak website, indicating ongoing negotiations or the possibility of ransom payment. ABB took swift action by closing VPN connections with customers to prevent the spread of the threat. According to a company press release, unauthorized actors gained access to specific ABB systems, deployed ransomware, and exfiltrated certain data.

Infected Technology

Electrification and Automation technology

Source

https://securityaffairs.com/146752/cyber-crime/abb-ransomware-attack.html

Recommendation

• Perform comprehensive security assessments and penetration tests to identify vulnerabilities and weaknesses.


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us