This past January, Techtarget published the news article “10 of the Biggest Zero-Day Attacks of 2023.” And while you may not use any of the impacted technologies, there are still important lessons that can be gleaned from the vulnerabilities that led to the attacks.
In this blog, we’ll look at four of the vulnerabilities mentioned and explore security best practices that would help defend against them.
NOTE: Spinnaker Support is not a security company, nor does it offer support on the software products listed in the article. The Zero-Day vulnerabilities referenced within this blog are merely used to discuss general security best practices that can be applied to any system.
Fortra GoAnywhere (CVE-2023-0669)
GoAnywhere MFT is a secure file transfer service. Security researchers found that it suffered from a remote code execution (RCE) flaw, which is one of the most severe and damaging types of security weaknesses. Attackers abusing this type of weakness can run code, execute malware, steal data, and gain access to other systems — all of which can be accomplished over the network.
NOTE: Just because the GoAnywhere MFT is labeled as” secure” does not mean the data is safe.
In the case of GoAnywhere, its vulnerability could only be exploited through a compromised administration console. For most organizations, this means the vulnerability is at a lower risk of exploitation. Administration consoles should always be kept behind firewalls and accessed only from within a company network — or remotely, via a company’s virtual private network (VPN).
Numerous security researchers, in addition to Fortra itself, published several mitigations for clients to implement, to help secure their systems. These mitigations to best practices should be followed for all environments and organizations:
- Do not expose the GoAnywhere MTF Administrative Console to the Internet.
Your organization should be performing regular scans and audits of your publicly exposed interfaces. Knowing your systems’ infrastructure and monitoring endpoints helps protect your from human errors in configuration and can reduce the number of endpoints exposed to attacks from the outside. - Follow the best practices defined in manuals and, specifically, the “GoAnywhere MTF Hardening Guide.”
There are configurations and system settings that must be adjusted for each installation. When it comes to any software or service, it’s important that administrators understand and implement the vendor’s documented best security practices. - Review audit logs and delete any suspicious admin and/or web user accounts.
Your organization should have processes in place for reviewing audit logs and searching for suspicious activities. Special attention should be applied when reviewing new users, especially those with elevated privileges.
Barracuda Email Security Gateway (CVE-2023-2868)
The earliest evidence of the Barracuda Email Security Gateway vulnerability can be traced back to approximately seven months before Barracuda became aware of it — highlighting why application administrators should not rely primarily on patching as proof that their systems are secure.
As a remote command-injection vulnerability, the Barracuda Email Security Gateway involved a piece of software that does the initial screening attachments of incoming emails. The screening proved faulty in that it wasn’t performing a complete validation of user supplied .tar files, enabling an attacker to send files that could execute a system command with the privileges of the Email Security Gateway product. Following is a list of mitigations that the vendor and security researchers provided, including general best practices that should be part of all environments:
- Use firewalls or a network-filtering appliance that allows only Barracuda Email Security Gateway services to send data outside of your private network.
Among the approaches bad actors use to compromise a system is one that establishes communication to command and control infrastructure on external networks by installing either backdoors or reverse shells. Limiting the services, ports, and types of communication to strictly what is needed can go a long way in hindering how much a bad actor is capable of accomplishing on your system. - Administrative Access Administrative access to the Barracuda ESG should be permitted via allow-list only.
No matter which system or infrastructure you’re using, limiting the number of users who can log into your server, as well as which endpoints can be used to make those connections, helps reduce the exposure of your overall attack surface. This also helps protect you from bad actors who are trying to perform lateral movements (accessing other servers from your compromised server). - Local passwords (specifically the admin and API password) should not be reused across systems.
Password management is paramount in protecting your systems from unauthorized access. Passwords should be complex, unique to each system, and changed regularly — and they should not be stored in clear text files. The greatest concern involves administrative accounts and highly privileged accounts, such as service accounts. There should be well-established processes and procedures for changing these passwords, in case passwords are ever compromised or someone with intimate knowledge of the accounts leaves the company. - Service-account configuration should be based upon the concept of least-privilege, with the identity provider’s enforcing authentication and usage restrictions.
Often, vulnerabilities associated with remote code execution/injection are exploited using the privileges of the services/software owners’ accounts. Practicing the principle of least privilege — by limiting these accounts’ access to only the files, commands, and services necessary to work — will limit the commands that bad actors can execute on the remote system.
Progress Software MoveIt Transfer (CVE-2023-34362)
The Progress Software MoveIt Transfer vulnerability has an SQL injection that enables an unauthenticated attacker to gain access to databases supporting MOVEit Transfer. Depending on your database, an attacker may be able to retrieve information about its structure and contents. Alarmingly, there are researchers who have published proof-of-concepts showing SQL execute statements that alter or delete database elements. Even worse, the researchers were able to go a step farther and perform an RCE on the server. Upon analysis, this vulnerability helps us identify a number of best practices for protecting systems that different vendors share:
- Follow security documentation: MOVEit Security Best Practices, SysAdmin Remote Access Rules, and Security Policies Remote Access guide.
- Audit network firewall rules associated with the MOVEit Transfer infrastructure, and only allow connections from known and trusted IP addresses.
- Review and remove any unauthorized user accounts.
- Update remote access policies to only allow inbound connections from known and trusted IP addresses.
- Allow inbound access only from trusted entities (e.g., using certificate-based access control).
- Enable multi-factor authentication.
Most of the above vendor recommendations for MOVEit are focused on attack surface reduction. The goal is to reduce the number of endpoints that could potentially grant unauthorized access to a system. If a bad actor would be able to gain access to the system, the follow-up move is to limit which data they can access and transfer it off the system.
Microsoft Search Remote Code Execution Vulnerability (CVE-2023-36884)
The Microsoft Search RCE vulnerability in Windows Search had no patch at the time of the disclosure from Microsoft, which is very unusual. The vulnerability was tied to a phishing campaign that targeted defense and government entities in Europe and North America. The lure was related to the Ukrainian World Congress, with phishing emails containing a fake OneDrive loader that would lead to the exploitation of CVE-2023-36884, installing backdoors on government systems. Microsoft did provide the following mitigations, which we will distill down to general best practices:
- Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
Security of the system cannot depend on patching. You need to have an in-depth strategy with different layers of defense in place — including (but not limited to) antivirus software, endpoint detection and response (EDR), mail systems with phishing protection, and employee security training. - Block all Office applications from creating child processes.
A common malware strategy is to create child processes to download and attempt to run more payloads. Indiscriminately blocking the creation of child processes might affect normal line-of-business applications. It is best to have systems in place that watch for uncommon spawning of child processes and send out alerts upon detection. - When it comes to protecting a system, patching is unreliable.
- The best security posture comes from a Defense in Depth approach.
- Only individuals whose jobs require access to a system should have access to it.
- By segregating your network, you’ll limit endpoints that can communicate with each other.
- The principle of least privilege should be applied to user accounts.
- Good password management is fundamental to good security.
Conclusion
Software is complex, and no matter how often a vendor patches it, there will always be vulnerabilities that don’t have patches. After reviewing these four zero-day vulnerabilities from 2023, it’s clear that protecting systems when patches aren’t available involves a holistic approach to security. The lessons learned from each of these vulnerabilities are true for any system:
At Spinnaker Support, we provide a Defense in Depth approach to guide you through protecting your systems from potential threat actors. For more information on defending your system against vulnerabilities, please visit our webpage on Security and Vulnerability Management, or reach out to a representative.