Cyber Month in Review – June 2023
GitLab Patches 10/10 Security Flaw, MOVEit Transfer Zero-Day, Cisco AnyConnect Flaw, ChatGPT Accounts Stolen, Barracuda hacked ESG appliances, and Fortinet’s Critical RCE Month
Advice on How to Stay Cyber Secure
Jack Smallpage, Information Security Officer at CyberLab, reviews the latest cyber security news and advises how to protect your data. He covers:
-
- GitLab Patches 10/10 Security Flaw
-
- MOVEit Transfer Zero-Day
-
- Cisco AnyConnect Flaw
-
- ChatGPT Accounts Stolen
-
- Barracuda hacked ESG appliances
-
- Fortinet’s Critical RCE Month
Welcome back to this month’s security in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.
The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.
GitLab patches a 10/10 severity flaw
Towards the end of May, GitLab released an emergency security update to address a 10/10 critical vulnerability involving a path traversal flaw. GitLab is a well-known and widely used web-based Git repository used by developer teams who manage their code remotely.
Labelled as CVE-2023-2825, the path traversal flaw allows an unauthenticated attacker to “read arbitrary files on the server when an attachment exists in a public project nested within at least five groups”.
What Should I do (At a Glance)
The vulnerability was discovered by the security researcher ‘pwnie’ and is said to impact GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, though all versions older than this aren’t affected.
This vulnerability was fixed in version 16.0.1, so all users affected should patch their instance to the latest available as soon as possible given the critical severity.
More information can be found on the security release here: GitLab Critical Security Release: 16.0.1 | GitLab
MOVEit Transfer zero-day being targeted
One widely discussed topic this month is following the ‘MOVEit Cloud’ and ‘MOVEit Transfer’ file transfer software which has been mass exploited following a zero-day in the application allowing the mass downloading of data from organisations.
The vulnerability in question was reported on May 31st, listed as CVE-2023-34362 and reported to be a SQL injection flaw allowing for unauthenticated access to a MOVEit Transfer database. Unfortunately, this was just the start, and further detections were identified throughout this month as ‘Progress Software’ partnered with cybersecurity firm ‘Huntress’ for further investigation.
June 9th: During this investigation, additional flaws collectively tracked as CVE-2023-35036 were identified which would allow an attacker to submit a crafted payload to the application endpoint resulting in modification and disclosure of database content.
June 16th: As investigation continues, ‘Progress’ issued another warning of yet another new SQL injection flaw – this time publicly posted, which required them to take down HTTPs traffic for MOVEit Cloud and ask customer with MOVEit Transfer to do the same. This flaw (classified as CVE-2023-35708) is not yet believed to be exploited in the wild but does much the same as the previous two exploits and allows an attacker unauthorised access to MOVEit Transfer’s database via a crafted payload.
Clop Involvement: To make matters worse, it has also been reported that the Clop ransomware group have started extorting companies impacted by the MOVEit attacks, listing their victim company names on a data leak site, claiming to have breached “hundreds of companies”, and threatening to leak the stolen data beginning June 21st if their extortion demands aren’t paid.
What Should I do (At a Glance)
As you can imagine, the constant new findings throughout this month have resulted in a litany of updates and new patches being pushed by ‘Progress’. At the time of this article (23.06.23), ‘Progress have confirmed that all relevant fixes have now been applied to all MOVEit cloud clusters.
Progress released a useful article on June 15th which details the necessary next steps regardless of which patch stage you’re at. By following the article linked below, you should be able to patch all three of the CVE’s detailed previously, with immediate mitigation steps to enforce while you execute the process to prevent access while you wait: MOVEit Transfer Critical Vulnerability – CVE-2023-35708 (June 15, 2023) – Progress Community.
For the latest updates, see Progress’s overview here: MOVEit Transfer and MOVEit Cloud Vulnerability (progress.com).
Cisco AnyConnect flaw grants SYSTEM privileges
On the 7th of June Cisco released a security advisory having identified a high-severity vulnerability that would let an attacker escalate to SYSTEM privileges in the Cisco Secure Client software (formally known as ‘AnyConnect’).
Cisco Secure Client is a VPN client for users to work remotely securely and provides admins with various management features. The exploit itself, tracked as CVE-2023-20178, allows a local attacker to exploit with low privilege and low complexity which requires no user interaction. Whilst it was initially reported to have no evidence of public exploit code or use in the wild, an update came out on the 21st of June stating that proof of concept exploit code is now available.
What Should I do (At a Glance)
Cisco have stated that there are no workarounds for this vulnerability, so it’s important to apply their patch and upgrade to either of the below as a minimum:
-
- AnyConnect Secure Mobility Client for Windows 4.10MR7
-
- Cisco Secure Client for Windows 5.0MR2.
You can find more information on the vulnerability and fix on the Cisco advisory here: Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability – Cisco.
ChatGPT accounts stolen
Cyber solutions provider and threat intelligence company ‘Group-IB’ discovered over 100,000 compromised ChatGPT accounts on dark web marketplaces recently. The compromised credentials in question were within the logs of info-stealing malware traded on the dark web within the past year.
As the data above suggests, “Group-IB’s experts highlight that more and more employees are taking advantage of the Chatbot to optimize their work, be it software development or business communications”. Because the platform is now being used by businesses, it invariably includes business data of varying confidentiality as users try to make their work life easier – this makes it a prime target for attackers with rising popularity.
It’s important to note that ChatGPT stores user queries and AI responses by default. With many employees now using the platform (whether officially or unofficially) for work and code development, compromise of their account could result in confidential information or proprietary code entered into the bot being stolen. It’s not just account compromise either as bots like ChatGPT use the data fed into them to learn and train itself for future queries which means the same confidential information you put in to get an answer, could be regurgitated if others ask similar questions.
What Should I do (At a Glance)
Both Apple and Samsung have banned company use of ChatGPT over the security implications it poses and whether or not you agree with the strict measures they’ve employed; it IS important that proper communication is made so that your people and business understand the risks involved. If you do wish to allow business use of ChatGPT, you should at the very least disable the chat saving feature in the settings menu and/or manually delete the conversation history to limit the risk of a sensitive data leak.
More information can be found on the Group-IB article here: Group-IB Discovers 100K+ Compromised ChatGPT Accounts on Dark Web Marketplaces; Asia-Pacific region tops the list | Group-IB
Business Cyber Security Posture Assessment
31% of business reported a cyber incident last year. Don’t be next. Take this FREE assessment to uncover your cyber security weaknesses.
Barracuda hacked ESG appliances
Several other applications and appliances have been affected by zero-days recently too, with another being Barracuda’s ESG appliances (Email Security Gateway). For those that don’t know, an ESG is a solution that can be deployed either physically or virtually to inspect and filter inbound and outbound email traffic for malicious content before it reaches/leaves the company systems.
In late May, Barracuda discovered a remote command injection vulnerability that had purportedly been exploited in the wild to backdoor customer ESG appliances with custom malware and steal data. The vulnerability has been assigned as CVE-2023-2868 and has been used since at least October 2022 to breach “a subset of ESG appliances” and install malware, providing attackers with persistent access across compromised devices.
What Should I do (At a Glance)
Whilst Barracuda had initially patched the vulnerability on May 20th, they have since updated their advisory for customers to REPLACE all compromised ESG appliances immediately instead, regardless of patch version level. This updated requirement for total replacement is an extreme one and implies the attack has achieved sufficient persistence at a low level whereby patching/wiping the device wouldn’t eradicate attacker access.
Given the attack has been actively exploited for several months now, response should be urgent and if you haven’t already, you should take your Barracuda devices offline immediately and check for signs of compromise back to atleast October 2022.
Details on the indicators of compromise and further help can be found on the Barracuda advisory here: Barracuda Email Security Gateway Appliance (ESG) Vulnerability.
Fortinet’s Critical RCE Month
Fortinet’s month has been lively too with a variety of flaws being found in multiple instances. The first one of note is a critical heap-based buffer overflow vulnerability in FortiOS and FortiProxy that allows for pre-authentication remote code execution in SSL VPN devices tracked as CVE-2023-27997. The vulnerability is reported to be exploited in the wild and with a score of 9.2, admins are urged to patch to the latest version as soon as possible.
The next critical vulnerability is being tracked as CVE-2023-33299 and is an unauthenticated remote code execution vulnerability in FortiNAC. As the name suggests, FortiNAC is a network access control solution which helps businesses manage network-wide policies and gain visibility of devices and users against unauthorised access. With solutions like FortiNAC having high access and control over business networks, they make attractive targets for attackers making swift remediation essential.
What Should I do (At a Glance)
For CVE-2023-27997, admins are urged to patch FortiOS and/or FortiProxy in accordance with PSIRT Advisories | FortiGuard(FG-IR-23-097), disabling SSL-VPN as a temporary workaround as required.
For CVE-2023-33299, admins are similarly urged to patch FortiNAC in accordance with PSIRT Advisories | FortiGuard (FG-IR-23-074).
Details of other Fortinet vulnerabilities this month can be found here: PSIRT Advisories | FortiGuard.
In Conclusion
This month has seen a lot of concerning events discovered, with MoveIT and Barracuda in particular having pretty severe consequences for any impacted, though Cisco’s VPN flaw and GitLab’s 10/10 require just as much attention from admins too. Group-IB’s research has also helped us from a proactive standpoint however by informing us of the risks involved in AI chatbots to get businesses to discuss their own risk appetite – will they join Apple and Samsung in its eviction or will they simply put in place rules to follow for its secure use.
As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as the Apple’s latest Zero-day, Vmware’s critical vRealize flaw, ASUS’s critical router vulnerabilities, and ShareFile Storage’s RCE exploit are examples of other updates you should be aware of and research.
If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber aware!
If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.
Detect. Protect. Support.
Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Leave a Reply
You must be logged in to post a comment.