Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Novel Backdoor Exploits Barracuda Email Gateways

Security appliance vendor Barracuda has had a torrid few months, starting with their May disclosure than a particularly aggressive and skilled threat actor had targeted their Email Security Gateway appliance by exploiting CVE-2023-2868, a remote command execution 0-day vulnerability. The threat actor, tracked as UNC4841 and likely of Chinese origin, used this to install a reverse shell and then, in turn, deploy a persistent backdoor called SEASPY.

So potent and persistent was SEASPY that Barracuda took the unprecendented step of offering customers a replacement device (or a virtual appliance) as they could not be confident that a firmware update could completely eradicate the malware.

Now comes news of yet another backdoor for the Barracuda ESG appliance. SUBMARINE is a novel persistent backdoor which runs with root privileges and lives in an SQL database on the device. It consists of multiple artifacts - an SQL trigger, shell scripts and a loaded library for a Linux daemon - that together enable persistence, command and control and cleanup.

According to a malware analysis report, the US Cybersecurity & Infrastructure Security Agency obtained seven malware samples containing the backdoor, as well as "associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information". CISA also warns that this malware "poses a severe threat for lateral movement".

CISA has released three malware analysis reports detailing the original reverse shell and SEASPY backdoor, as well as the SUBMARINE backdoor. The reports provide a detailed analysis of each exploit, based on multiple malware samples, with hash values for all files, behavioural IOC's, YARA rules and other detections. Affected customers are urged to use these to check for indications of exploitation and lateral movement to other systems. They should also discontinue use of any compromised appliance and contact Barracuda support to obtain a new appliance.

Barracuda, Barracuda Email Security Gateway Appliance (ESG) Vulnerability, legal notice, 28 July 2023. Available online at https://www.barracuda.com/company/legal/esg-vulnerability.

CISA, CISA Releases Malware Analysis Reports on Barracuda Backdoors, cybersecurity advisory, 28 July 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors.

Larsen, Austin, et. al., Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China, blog post, 15 June 2023 (updated 28 July 2023). Available online at https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally.

Google Analyzes 0-day Exploits

Google has published its fourth annual year-in-review analysis of 0-day vulnerabilities exploited in the wild, extracting the major trends and lessons. Key findings include:

• Long patching delays on Android mean 0-days continue to work long after initial disclosure
• Mitigations in browsers have driven threat actors to shift from 1-click to 0-click exploits
• Over 40% of 0-days were variants of previously-reported vulnerabilities
• Attackers are independently discovering and exploiting the same vulnerabilities

The last point provides some reason for optimism; when an exploit is discovered and a fix released, there's an increasing chance that it will mitigate not only the original exploit but also others.

However, the news for Android users is not so good. The problem is the length of the Android supply chain, between the original device manufacturers, through Google, to the mobile device manufacturers. A good example is CVE-2022-38181, a vulnerability in the ARM Mali GPU kernel driver, which was reported to the Android security team in July 2022. While the Android team labeled the issue "Won't Fix" because it was device-specific, they referred it to ARM, who released a new driver version in October. However, in November Google's Threat Analysis Group discovered an exploit in the wold - yet it was not until April 2023 that a fix was incorporated in Android itself - that is, 9 months after the initial report.

There are similar delays affecting Android implementations from mobile device vendors - for example, in December 2022, the Threat Analysis Group discovered an exploit targeting the latest version of the Samsung Internet browser, which at that time was running on Chromium 102, released 7 months earlier in May 2022. This delay meant that the attackers could use CVE-2022-3038, which had been fixed in Chrome 105 of June 2022. The attack chain also used CVE-2022-22706, another ARM Mali GPU kernel driver vulnerability which had been fixed by ARM in January 2022 but did not appear in the Android Security Bulletin until June 2023 - 17 months after the patch was released and it was publicly known to be actively exploited in the wild.

This paints a rather depressing picture; threat actors don't need to research vulnerabilities themselves in order to produce 0-day exploits - instead, they can simply watch for them to be disclosed publicly, then use the information to work up n-day exploits which will produce results for months to come.

Stone, Maddie, The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 , blog post, 27 July 2023. Available online at https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.