Under a recent directive from the Cybersecurity and Infrastructure Security Agency (CISA), federal agencies must respond within 14 days to any notifications from CISA regarding misconfigured or publicly accessible networking equipment.
This directive applies to various networking devices that allow remote authentication or administration, including firewalls, routers, and load balancers.
The order mandates that federal departments restrict access to the management interfaces of these devices so that only authorized users on the agency’s local or internal network can reach them.
CISA’s decision comes in response to a series of recent attacks where threat actors took advantage of zero-day vulnerabilities in popular networking products to carry out ransomware and cyber espionage campaigns against targeted organizations.
A round-up of recent attacks
Barracuda device replacement
The incident response firm Mandiant disclosed that Chinese cyber spies have been exploiting a zero-day vulnerability in email security gateway (ESG) appliances produced by Barracuda Networks.
Barracuda Networks became aware of the zero-day exploitation in mid-May and promptly released a security update to address the flaw in all affected devices just two days later.
However, Barracuda took the unusual step of offering to replace compromised ESGs last week. This action was likely taken in response to malware that had fundamentally altered the systems, rendering them incapable of being remotely secured through software updates.
According to Mandiant, a previously unidentified Chinese hacking group is responsible for exploiting the vulnerability in Barracuda’s products.
Their objective appears to involve searching through the email records of victim organizations to identify accounts belonging to individuals associated with governments having political or strategic interests related to China. Notably, these activities occurred while the victim government was engaged in high-level diplomatic meetings with other countries.
When security experts began raising concerns about a potential zero-day vulnerability in Barracuda’s products, the Chinese hacking group adjusted their tactics, techniques, and procedures (TTPs) in response to Barracuda’s mitigation efforts. Mandiant discovered these changes in response to Barracuda’s attempts to contain and resolve the incident.
Read more details: Vulnerable ESG appliances must be replaced, urges Barracuda
Fortinet patch alert
This week, new information emerged regarding the ongoing exploitation of a zero-day vulnerability affecting a wide range of virtual private networking (VPN) products manufactured by Fortinet. These devices are commonly used by organizations to enable remote network access for their employees.
On June 11, Fortinet released several security updates for its FortiOS firmware, which addressed various vulnerabilities. Among them was a weakness researchers identified, allowing attackers to execute the malware on virtually any Fortinet SSL VPN appliance. The researchers emphasized that simply gaining access to the management interface of a vulnerable Fortinet SSL VPN appliance was sufficient to compromise the device entirely.
French vulnerability researcher Charles Fol took to Twitter, stating, “This is reachable pre-authentication, on every SSL VPN appliance. Patch your #Fortigate.”
Fortinet confirmed on June 12 that one of the vulnerabilities, identified as CVE-2023-27997, is currently being actively exploited. The company discovered this weakness during an internal code audit in January 2023, triggered by their knowledge of Chinese hackers exploiting a separate zero-day product flaw.
Why does CISA think it’s important?
Cybersecurity experts emphasize that the directive issued by CISA underscores the growing risks associated with exposing devices to the public internet.
Cyber espionage groups and ransomware gangs are actively probing these devices for undiscovered security vulnerabilities, incentivising organizations to minimize their exposure.
One striking example of this trend can be observed in the actions of ransomware groups, particularly Cl0p. These groups have repeatedly taken advantage of zero-day vulnerabilities found in widely-used file-transfer protocol (FTP) applications.
By exploiting these flaws, they have managed to extort large sums of money, totalling tens of millions of dollars, from numerous victims of ransomware attacks.
CISA reported that on May 27, Cl0p started exploiting a previously unknown vulnerability in MOVEit Transfer, a popular file transfer application accessible via the internet. Although Progress Software, the parent company of MOVEit, has since released security updates to address the weakness, Cl0p claims to have already compromised hundreds of organizations using this exploit.
Step ahead
CISA has given these binding directives to address all digital systems as zero-trust architecture. Clearly, all networks, devices and systems must be considered compromised.
“Zero Trust Architecture is an enterprise approach to design and implement component relationships, workflow planning, and access policies around Zero Trust concepts.”
PureVPN
June 16, 2023
2 years ago
