Dec 28 2023

Chinese Hackers Exploit New Zero-Day In Barracuda’s ESG To Deploy Backdoor

Category: cyber security,Information Security,Zero daydisc7 @ 12:56 pm
Chinese Hackers Exploit New Zero-Day in Barracuda’s ESG to Deploy Backdoor

Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.

Additionally, the vulnerability targeted only a limited number of ESG devices. 

However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.

The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.

Chinese Hackers Exploit New Zero-Day

This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.

This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.

The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.

However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.

Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.

Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.

Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.

Indicators Of Compromise

MalwareMD5 HashSHA256File Name(s)File Type
CVE-2023-7102 XLS Document2b172fe3329260611a9022e71acdebca803cb5a7de1fe0067a9eeb220dfc24ca56f3f571a986180e146b6cf387855bddads2.xlsxls
CVE-2023-7102 XLS Documente7842edc7868c8c5cf0480dd98bcfe76952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acddon.xlsxls
CVE-2023-7102 XLS Documente7842edc7868c8c5cf0480dd98bcfe76952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acdpersonalbudget.xlsxls
SEASPY7b83e4bd880bb9d7904e8f553c2736e3118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7wifi-servicex-executable
SALTWATERd493aab1319f10c633f6d223da232a2734494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8bamod_tll.sox-sharedlib

Network IOCs

IP AddressASNLocation
23.224.99.24240065US
23.224.99.24340065US
23.224.99.24440065US
23.224.99.24540065US
23.224.99.24640065US
23.225.35.23440065US
23.225.35.23540065US
23.225.35.23640065US
23.225.35.23740065US
23.225.35.23840065US
107.148.41.146398823US

Tiger Trap: America’s Secret Spy War with China

21st Century Chinese Cyberwarfare

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: 21st Century Chinese Cyberwarfare, cyber security, Tiger trap, zero-day

Jul 21 2022

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Category: Web Security,Zero dayDISC @ 2:53 pm
Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.

The relevant security bulletins, update numbers, and where to find them online are as follows:

  • APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
  • APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
  • APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
  • APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
  • APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
  • APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
  • APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341

As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.

But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.

Zero Days - Season 1

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: 0-day, browser bug, zero-day

Dec 14 2021

Google fixed the 17th zero-day in Chrome since the start of the year

Category: App Security,Web SecurityDISC @ 9:25 am
Google fixed the 17th zero-day in Chrome since the start of the year

Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.

The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption.

“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” reads the advisory published by Google which did not share additional info regarding these attacks.

The vulnerability was reported by an anonymous researcher on 2021-12-09.

Google has already addressed 17 zero-day vulnerabilities in Chrome this year, below is the full list:

Be sure to update your Chrome install to the latest 96.0.4664.110 version for Windows, Mac, and Linux.

The other issues fixed by Google with the latest release are:

[$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26

[$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16

[$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19

[$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair  on 2021-10-21

The Browser Hacker’s Handbook 

Tags: Chrome, Google, The Browser Hacker's Handbook, zero-day

Nov 26 2021

Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

Category: Zero dayDISC @ 9:38 am
Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises.

The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data too. It’s likely this vulnerability is present in other devices from the same family.

The affected device is orientated towards the enterprise segment and supports Wi-Fi 6 (the next-generation wireless standard which is faster than 802.11ac). Wi-Fi 6 officially arrived in late 2019, and Wi-Fi 6 enabled hardware was released throughout 2020. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.

Resecurity notified TP-Link on November 19th 2021, and received acknowledgment the very next day. TP-Link said they’re going to release a patch in a week (currently the 0-day vulnerability is in the wild). Resecurity shared Proof-of-Concept with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities.

TP-Link

Below is the video PoC of the zero-day exploitation:

The Life and Times of Zero-Day Vulnerabilities and Their Exploits

Tags: TP-Link Wi-Fi, zero-day

Nov 12 2021

macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

Category: Security vulnerabilitiesDISC @ 9:54 am
macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina

The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.

The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.

The attack was discovered in late August, the nature of the targets and the level of sophistication of the attack suggests the involvement of a China-linked threat actor.

“To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” reads the analysis published by Google. “As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.”

HD. Alex Gibney directed this documentary about Stuxnet–a self-replicating computer malware that has opened a Pandora’s box of cyber-warfare.

Tags: macOS Zero-Day, Stuxnet, Zero day attack, zero-day

Aug 26 2021

Interesting Privilege Escalation Vulnerability

Category: Security vulnerabilities,Windows SecurityDISC @ 9:21 am
Interesting Privilege Escalation Vulnerability

It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.

Privileged Attack Vectors

Razer DeathAdder Essential Gaming Mouse

Tags: Privilege Escalation, vulnerabilities, Windows, zero-day

Aug 12 2021

Trend Micro warns customers of zero-day attacks against its products

Category: Zero dayDISC @ 2:47 pm
Trend Micro warns customers of zero-day attacks against its products

Security firms Trend Micro is warning its customers of attacks exploiting zero-day vulnerabilities in its Apex One and Apex One as a Service products.

On July 28, Trend Micro released security patches for multiple incorrect permission assignment privilege escalation, incorrect permission preservation authentication bypass, arbitrary file upload, and local privilege escalation vulnerabilities in Apex One and Apex One as a Service products. The security firm also reported that attackers are already exploits at least two of the flaws (CVE-2021-32464, CVE-2021-32465, CVE-2021-36741, CVE-2021-36742) in attacks in the wild.

The vulnerabilities affect the Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS) on Windows.

“Trend Micro has observed an active attempt of exploitation against two of these vulnerabilities (chained) in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already. All customers are strongly encouraged to update to the latest versions as soon as possible.” reads the advisory.

The company did not share info about the attacks in the wild that exploited the above vulnerabilities.

In April, the security firm revealed that attackers were actively exploiting a vulnerability, tracked as 

CVE-2020-24557
, in its antivirus solutions to gain admin rights on Windows systems.

The 

CVE-2020-24557
 vulnerability affects the Apex One and OfficeScan XG enterprise security products. 

Zero Days - Featurette - YouTube

Tags: Trend Micro, zero-day

Jul 15 2021

China Taking Control of Zero-Day Exploits

Category: Zero dayDISC @ 11:39 am
China Taking Control of Zero-Day Exploits

Countdown to #ZeroDay: #Stuxnet and the Launch of the World’s First #DigitalWeapon

Tags: china, cybersecurity, cyberweapons, Digital Weapons, disclosure, Stuxnet, vulnerabilities, zero-day, Zero-Day Exploits