According to the FBI, the patches released to address the recently disclosed critical flaw in Barracuda ESG appliances are deemed “ineffective.” The agency has observed ongoing intrusions, deeming all affected Barracuda ESG appliances compromised and vulnerable to exploitation.

Tracked as CVE-2023-2868 with a CVSS score of 9.8, this zero-day vulnerability has been weaponized as early as October 2022, months before it was officially patched. Google-owned Mandiant is tracking the activities of the China-nexus group UNC4841 associated with exploiting this flaw.

The vulnerability, impacting versions 5.1.3.001 through 9.2.0.006, allows for unauthorized execution of system commands with administrator privileges on the ESG product.

Successful breaches have led to the deployment of multiple malware strains like SALTWATER, SEASIDE, and others, facilitating arbitrary command execution and evading defense mechanisms.

Cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance, enabling persistent access, email scanning, credential harvesting, and data exfiltration.

UNC4841, characterized as both aggressive and skilled, demonstrates sophistication in their operations, swiftly adapting custom tools to maintain access to high-priority targets.

The FBI strongly advises isolating and replacing all affected ESG devices immediately and conducting network scans for suspicious outgoing traffic.

In response to the zero-day vulnerability (CVE-2023-2868) discovered in Barracuda Networks Email Security Gateway (ESG) appliances, significant concern has arisen.

CVE-2023-2868, a remote command injection vulnerability affecting Barracuda ESG appliances in versions 5.1.3.001-9.2.0.006, allows unauthorized execution of system commands with administrator privileges.

Exploitation occurs during email attachment screening, where cyber actors format TAR file attachments to trigger command injection, granting access to execute commands within the ESG.

Suspected PRC cyber actors began exploiting this vulnerability in October 2022, initially using “.tar” extensions in malicious attachments, evolving to different formats like “.jpg” or “.dat.”

Following compromise, actors injected malicious payloads to maintain access, scan emails, harvest credentials, and exfiltrate data, demonstrating advanced techniques in counter-forensics.

Despite patches, exploited ESG appliances remain vulnerable. The FBI advises immediate isolation and replacement of affected devices and network scans for indicators of compromise.

The FBI released a list of domains and IP addresses associated with malicious activities, urging vigilance and thorough investigation to mitigate risks effectively.

Cobra DocGuard, developed by the Chinese company “EsafeNet,” serves as a legitimate software solution for managing Consolidated Omnibus Budget Reconciliation Act documents.

Symantec cybersecurity experts uncovered that the perpetrators associated with this APT group, dubbed “Carderbee,” employed a valid Microsoft certificate to sign their malicious software.

As outlined in a report disclosed to Cyber Security News, the primary targets of this supply chain attack were predominantly located in Hong Kong, with additional victims scattered across various Asian regions.

The Attack Sequence Earlier in April 2023, Symantec’s Threat Hunter Team stumbled upon a signed version of Korplug; however, attribution to Budworm (also known as LuckyMouse or APT27) couldn’t be confirmed at the time.

While multiple APT groups, such as APT41 and Budworm, are known to utilize the Korplug backdoor, researchers have yet to pinpoint their specific industry targets, only identifying their geographical presence.

During this recent campaign, around 100 computers within affected organizations exhibited signs of malicious activity. Notably, while Cobra DocGuard was present on 2,000 computers, the focus appears to have been on targeted payload delivery.

The infection’s localization on computers strongly suggests either a supply chain breach or a malicious setup of Cobra DocGuard as the means of compromise.

Throughout 2023, numerous malware strains surfaced via this vector. Noteworthy is a Microsoft-signed downloader installing the Korplug backdoor from the following URL:

http://cdn.stream-amazon[.]com/update.zip

The aforementioned .zip file, a Zlib archive, decompresses and executes content.dll, functioning as a dropper for x64 and x86 drivers depending on the system’s architecture.

Capabilities of the Korplug Sample The Korplug sample detected exhibited the following functionalities:

• Execute commands via cmd
• Enumerate files
• Check running processes
• Download files 
• Open firewall ports
• Act as a keylogger

Indicators Of Compromise

SHA256 File Hashes:

• 96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622
• 19a6a404605be964ab87905d59402e2890460709a1d9038c66b3fbeedc1a2343
• 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d
• 2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936
• 2f714aaf9e3e3e03e8168fe5e22ba6d8c1b04cbfa3d37ff389e9f1568a80cad4
• 47b660bbaacb2a602640b5e2c589a3adc620a0bfc9f0ecfb8d813a803d7b75e2
• 5467e163621698b38c2ba82372bac110cea4121d7c1cec096958a4d9eaa44be7
• 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d
• 85fc7628c5c7190f25da7a2c7ee16fc2ad581e1b0b07ba4ac33cff4c6e94c8af
• 8bd40da84c8fa5f6f8e058ae7e36e1023aca1b9a9c8379704934a077080da76f
• 8ca135b2f4df6a714b56c1a47ac5baa80a11c6a4fcc1d84a047d77da1628f53f
• 9e96f70ce312f2638a99cfbd3820e85798c0103c7dc06fe0182523e3bf1e2805
• 9fc49d9f4b922112c2bafe3f1181de6540d94f901b823e11c008f6d1b2de218c
• b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea
• b7b8ea25786f8e82aabe4a4385c6142d9afe03f090d1433d0dc6d4d6ccc27510
• b84f68ab098ce43f9cb363d0a20a2267e7130078d3d2d8408bfb32bbca95ca37
• f64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97

This vulnerability, identified as CVE-2023-40477 with a CVSS score of 7.8, arises from improper validation during the processing of recovery volumes. The Zero Day Initiative (ZDI) explained that the problem stems from inadequate validation of user-supplied data, leading to potential memory access beyond the boundaries of an allocated buffer. This vulnerability could be leveraged by an attacker to execute code within the current process.

To successfully exploit this flaw, it requires user interaction, where the target must either be enticed into visiting a malicious webpage or simply opening a rigged archive file.

The discovery and reporting of this vulnerability are credited to a security researcher operating under the alias “goodbyeselene” on June 8, 2023. The issue has since been addressed in WinRAR 6.23, which was released on August 2, 2023. The software maintainers stated, “A security issue involving out-of-bounds write has been resolved in the RAR4 recovery volumes processing code.”

The latest version of WinRAR also tackles another issue where “WinRAR could open the wrong file when a user double-clicked an item within a specially crafted archive.” This problem was reported by Group-IB researcher Andrey Polovinkin.

Users are strongly advised to update to the most recent version of WinRAR to mitigate potential security risks.

This security flaw is present in versions prior to 2.5.2 and occurs during the parsing of XML files when processing its own configuration as well as Maven POMs (Project Object Models). It allows for the downloading of external documents and the expansion of entity references.

Exploiting this Blind XPath injection vulnerability provides threat actors with various avenues for manipulating or executing Ivy and gaining access to sensitive information residing on the host. This vulnerability arises from the improper handling of XML External Entity references.

Apache Ivy is a dependency manager used for resolving project dependencies and is an integral part of the Apache Ant project. It utilizes an XML file to define project dependencies and list the essential resources needed for project construction.

This vulnerability has been assigned CVE-2022-46751, with the CVSS score yet to be confirmed.

To mitigate this issue, Apache has released version 2.5.2 of Apache Ivy. In this release, DTD (Document Type Definition) processing is disabled by default for all files except Maven POMs, where only a DTD snippet necessary for dealing with existing Maven POMs can be included. It’s important to note that these DTD snippets are not valid XML files but are accepted by Maven POMs.

Apache Ivy, originating from the Apache Tomcat Project in 2000, plays a key role in automating software build processes.

Users are strongly advised to upgrade to Apache Ivy version 2.5.2 to safeguard against the exploitation of this vulnerability. Alternatively, Java system properties can be employed to restrict the processing of external DTDs.

These vulnerabilities specifically pertain to Apache XML Graphics Batik and have been assigned the CVE IDs CVE-2022-44729 and CVE-2022-44730.

Apache Batik is a Java-based application toolkit employed for rendering, generating, and manipulating Scalable Vector Graphics (SVG) files. It comprises various modules, including SVG Parser, SVG Generator, and SVG DOM.

CVE-2022-44729 & CVE-2022-44730 in Apache Batik: CVE-2022-44729: This SSRF vulnerability allows malicious actors to induce Apache Batik to load external resources by exploiting a malicious SVG file. This could lead to increased resource consumption or inadvertent information disclosure.

CVE-2022-44730: This vulnerability can be exploited by threat actors who employ a malicious SVG file to probe user profiles/data and subsequently transmit it as a URL parameter, ultimately resulting in information disclosure.

In response to these vulnerabilities, Apache has implemented patches that block external resource loading by default and establish a whitelist within the Rhino JS engine.

These vulnerabilities affect versions of Batik prior to 1.16. To mitigate the risk of exploitation, users of Apache Batik are strongly advised to upgrade to the latest version, 1.17.