Cyber Month in Review February 2023

Welcome back to this month’s security news in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.

ESXiArgs Ransomware

The NCSC, CISA and other security professionals have warned organisations of the ongoing ‘ESXiArgs’ ransomware campaign this month, as VMware ESXI devices worldwide have been increasingly hit, with an estimated 3800 servers compromised so far.

One key flaw being used in this attack is ‘CVE-2021-21974’ which allows an unauthenticated attacker to exploit an OpenSLP flaw to gain remote code execution and deploy the ESXiArgs ransomware. Whilst recovery scripts have been made available by CISA and others, newer attacks are reportedly evolving to make recovery harder, if not impossible.

What Should I do?

The patch for CVE-2021-21974 has been available since 23/02/21, but it is very likely that attackers are using ANY other vulnerability accessible to deploy the ransomware. As such, it is strongly recommended you:

• Update servers to the latest version of VMware ESXi software 

• Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service

• Ensure the ESXi hypervisor is not exposed to the public internet

For more information (including a potential recovery script):

• Visit CISA’s advisory: VMware Security Response Center (vSRC) Response to ‘ESXiArgs’ Ransomware Attacks

Clam AntiVirus Remote Code Execution

Cisco has rolled out security updates to address a critical remote code execution vulnerability in ClamAV this month too. ClamAV is an open-source antivirus engine which is known for its cross-platform capability (such as with Linux), and the vulnerability in question is being tracked as CVE-2023-20032 with a CVSS score of 9.8.

Successful exploitation of the vulnerability could allow an attacker to execute remote code as the ClamAV platform, which depending on associated privileges, could involve the installation of programs, creation of new accounts with full user rights, and the ability to view/change/delete data.

What Should I do?

All users should check their networks for any ClamAV instances, and update them where applicable to the following versions (or greater):

• 103.8

• 105.2

• 0.1

For more information on the patches and vulnerability, please read this ClamAV blog post: ClamAV® blog, with updates available here: ClamAVNet.

Apple Zeroday

Apple have released an emergency update for their first zero-day this year. The vulnerability is tracked as CVE-2023-23529 and is a WebKit confusion issue which can trigger OS crashes and enable attackers to execute arbitrary code on compromised devices after opening a malicious page. Apple have further reported that the issue may have been actively exploited, increasing the importance for timely patching.

What Should I do?

Users should make sure to apply the update as soon as possible to one of the following versions:

• iOS 16.3.1 – For iPhone’s 8 and later.

• iPadOS 16.3.1 – For iPad Pro (all models), iPad Air 3^rd gen and later, iPad 5^th gen and later, iPad mini 5^th gen and later.

• macOS 13.2.1 – For macOS Ventura.

• Safari 16.3 – For macOS Big Sur and macOS Monterey.

• tvOS 16.3.2 – For Apple TV’s.

• watchOS 9.3.1 – For Apple Watch Series 4 and later.

More details can be found here: Apple security updates – Apple Support (UK)

GoAnywhere Zeroday

On the 1^st of February, Fortra disclosed a warning about an actively exploited zero-day vulnerability affecting on-premises instances of its ‘GoAnywhere MFT’ managed file transfer solution. The notification was published on their customer portal (which requires a free account to access) and details the exploit requiring access to the administrative console of the application, “which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses”.

However, in instances where the administrative console is exposed to the public internet, the attacker can easily access the console, leverage the remote code injection exploit, and access potentially sensitive information.

What Should I do?

Businesses using GoAnywhere MFT should check instances if not done so already and make sure it’s not internet exposed. If the instance is exposed, you should access your GoAnywhere account here for further detail and indicators of compromise Customer Portal (goanywhere.com), which includes a specific stack trace which shows up in the logs of compromised systems.

Once the impact has been ascertained, all users of GoAnywhere MFT should make sure to apply the emergency patch (7.1.2) to secure the vulnerability as soon as possible.

OpenSSL Updates

The well-known and widely used encryption library ‘OpenSSL’ has released security updates this month, covering its two current versions as well as the legacy 1.0.2 version which is only patchable via paid extended/premium support.

The update has fixed eight CVEs in total with one (CVE-2023-0286) being a HIGH severity X.400 address type confusion in X.509 GeneralName.

What Should I do?

If you are still using the legacy 1.0.2 version, now might be the time to review your processes and update to a more recent (and free) version. To make sure you are protected from the vulnerabilities identified, make sure you are on the following versions or greater:

• OpenSSL 3.0 series: Version 0.8.

• OpenSSL 1.1.1 series: Version 1.1t.

• OpenSSL 1.0.2 series: Version 0.2zg.

View the OpenSSL advisory and CVE details.

Sophos also go into greater detail and explanation in their article here: OpenSSL fixes High Severity data-stealing bug – patch now! – Naked Security (sophos.com).

QNAP Critical Bug

Finally, QNAP took to warning its customers to install QTS and QuTS firmware updates at the end of last month to fix a critical vulnerability allowing attackers to remotely inject malicious code on QNAP NAS devices. The SQL injection vulnerability has been assigned as CVE-2022-27596 with a CVSS score of 9.8 due to its low complexity and unauthenticated nature requiring no user interaction.

What Should I do?

The flaw is reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1, though QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.

Admins should check their network for impact and update applicable instances to one of the following versions as soon as possible:

• QTS 5.0.1.2234 build 20221201 and later

• QuTS hero h5.0.1.2248 build 20221215 and later

More details can be found on the QNAP advisory here: Vulnerability in QTS and QuTS hero – Security Advisory | QNAP

Conclusion

Ransomware has still been the word this month as we continue into 2023 with the ESXIArgs causing concern. However it hasn’t all been ransomware, as Apple’s zero-day patch and Microsoft’s impressive patch Tuesday haul have seen exploitation attempts in the wild too, and updates to commonly used OpenSSL and ClamAV should keep many an admin busy as we go into march.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month, and others such as T-Mobile’s API data breach, VMware’s critical vRealize flaw, and Microsoft’s aforementioned 77 vulnerability patch Tuesday (9 of which being critical) are just honourable mentions as examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, have a look at your security processes and see what changes you can make to ensure you don’t get caught out in the future.

Just 20 minutes research each day can help you keep on top of the major security trends and alerts which help protect your business and keep you cyber aware!

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.