Breach Roundup: Barracuda Networks Recalls Hacked AppliancesAlso: More on MOVEit, Motherboard Vulnerabilities, Bugs and Ransomware
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: Barracuda Networks recalled hacked email security appliances, the U.S. federal government warned that it expects "widespread exploitation" of the now-patched zero-day vulnerability in Progress Software's MOVEit file transfer application, and cybersecurity firm Eclypsium spotted an insecure motherboard configuration. Also, researchers detailed a bug in the Microsoft Visual Studio extension installer, and a Japanese pharmaceutical firm and a Spanish bank were hit by ransomware attacks.
See Also: 2022 Unit 42 Incident Response Report
Barracuda: Affected ESG Appliance Recalled Despite Patches
Barracuda Networks on Tuesday urged owners of hacked Email Security Gateway appliances to immediately replace their equipment regardless of whether they had applied patches to fix a recent zero-day vulnerability.
The company said it has identified a subset of appliances containing malware that allows persistent backdoor access. It also found evidence of data exfiltration.
"Discontinue the use of the compromised ESG appliance and contact Barracuda support (email@example.com) to obtain a new ESG virtual or hardware appliance," the company said.
A company spokesperson said that as of Thursday, approximately 5% of active ESG appliances worldwide have shown evidence of known indicators of compromise due to the vulnerability.* "We continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device," the spokesperson said. Impacted customers should see a notification in the user interface.
The company first identified on May 19 a remote command injection vulnerability, tracked as CVE-2023-2868, present in all hardware and virtual versions of the ESG appliance. It issued and applied a patch on May 20 (see: Hackers Exploited Zero-Day Bug for 8 Months, Barracuda Warns).
Further investigation led the network security company to conclude that attackers had discovered and exploited the vulnerability starting in October, and possibly earlier.
Barracuda has not disclosed how many users of the ESG appliance were affected. The Australian Capital Territory, which governs the capital city of Canberra, on Thursday listed itself as a victim of the zero-day hackers. Following Barracuda's May 24 public announcement of the vulnerability, the territorial government launched an investigation and detected a breach. "A harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed," it said.
CISA, FBI Issue Warning on MOVEit Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation on Wednesday published an advisory warning that it expects "widespread exploitation" of the now-patched zero-day vulnerability in Progress Software's MOVEit managed file transfer application.
"CISA remains in close contact with Progress Software and our partners at the FBI to understand prevalence within federal agencies and critical infrastructure," said CISA Executive Director for Cybersecurity Eric Goldstein.
The Clop ransomware-as-a-service gang said it is the threat actor behind the spate of MOVEit attacks, claiming on its dark web leak site that it had exploited the flaw, tracked as CVE-2023-34362, to download information from hundreds of companies.
Progress Software first warned customers of the vulnerability on May 31.
U.K. payroll provider Zellis emerged as the first big-name victim of the MOVEit attacks, since through it, companies including British Airways, Aer Lingus, the BBC and U.K. drugstore chain Boots were also affected.
Credit rating agency Moody's Investors Service on Thursday said the attack on Zellis could have negative results for the company. "The company could suffer from a reputational damage leading to increasing customer churn," said Moody analyst Pamela Palmucci. The full cost of the attack is unknown and will depend on the outcome of governmental investigations as well as possible litigation, she added. Representatives for Zellis did not immediately return a request for comment.
Firmware Backdoor Found in Gigabyte Motherboards
Cybersecurity firm Eclypsium discovered motherboard manufacturer Gigabyte insecurely downloading an updater program into UEFI firmware. More than 400 models are affected. In a June 1 statement, the Taiwanese company said it has issued a patch that bolsters the validation process for files downloaded from remote servers.
Eclypsium says the risk posed by the insecure firmware updating function is on par with UEFI rootkits and implants - malware that's very difficult to detect or eradicate since it is loaded into memory before the operating system. Among the problems spotted by Eclypsium were incorrect remote server certificate validation and a payload downloaded through HTTP rather than HTTPS. Attackers could compromise Gigabyte's infrastructure to abuse the firmware updated, the researchers wrote.
"If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn’t done any of this securely," Eclypsium executive John Loucaides told Wired.
UI Bug in Microsoft Visual Studio
Varonis Threat Labs researchers discovered an exploitable UI bug in the Microsoft Visual Studio extension installer that allows attackers to spoof an extension signature and impersonate a legitimate publisher. In April, Microsoft issued a patch for the vulnerability, which is tracked as CVE-2023-28299.
An attacker could bypass security controls by merely opening a VSIX package as a zip file and adding newline characters to a tag in the
extension.vsixmanifest file, Varonis researchers wrote
Japanese Pharmaceuticals Firm Eisai Suffers Ransomware Attack
Japanese pharmaceuticals firm Eisai reported Tuesday a ransomware attack that encrypted company servers and disrupted logistics systems located in and out of the country.
The Tokyo-headquartered drugmaker said it had detected the attack on June 3 but did not disclose further details about the breach. "The possibility of data leakage is currently under investigation," it said.
Eisai Group is a leading Japanese pharmaceuticals company with 15 research laboratories and nine production sites in Japan and elsewhere.
Ransomware Attack Affects Spanish Bank Globalcaja
Spanish bank Globalcaja, based in the central Spanish province of Castilla-La Mancha, reported June 2 an attack consistent with ransomware. The attack, it said in a Spanish-language advisory, didn't affect the bank's ability to operate or appear to have reached client accounts.
The Play ransomware group said it is the threat actor behind the attack. It claimed on its dark web leak site to have downloaded "private and personal confidential data, clients and employee documents, passports, contracts" and is threatening to publish the data Saturday.
Globalcaja's most recent annual report says the bank serves nearly half a million customers.
Other Coverage From Last Week
- Verizon: When Ransomware Attacks Cost, They're Costing More
- Highlights of Verizon Data Breach Investigations Report 2023
- Suspected Nation-State Actors Target US Aerospace Industry
- Hospital Worker Sentenced for HIPAA Crimes in ID Theft Scam
- Ukraine Warns Against Cyberespionage Campaign
- Microsoft Pays $20M to Settle FTC COPPA Complaint
- Google Fixes Actively Exploited Chrome Zero-Day
With reporting from ISMG's Prajeet Nair in Mumbai and Jayant Chakravarti in Pune
*Update June 9, 2023 15:25 UTC: Adds comment from Barracuda Networks spokesperson.