image of breaking badness
Breaking Badness
Breaking Badness

158. Zero Days of Our Lives

Coming up this week on Breaking Badness: Fire in the Wall, No Patch, No Cry, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Fire in the Wall

  • Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices, tracked as CVE-2023-27997
  • First of all – most things with Fortinet begin with Forti-
    • Who are they?
      • Folks will have almost certainly seen Fortinet – they’ve been around for about 23 years – long presence 
      • Fortigate is their firewall that put them on the map – that’s where this story begins 
      • Always had a big theme for speed 
  • Our story here starts with a French red team (Lexfo)
    • They were poking around on the web interface that is tied to the Fortigate VPN
    • They found you can feed this VPN certain things and gain access to the device
      • It doesn’t require authentication 
      • Because of some bugs in the way it handles memory allocation, you can put stuff where you want to and run your own code 
  • Are there other examples of this in the wild of MFA not being the safety net we thought it would be
    • There are and any time you can bypass it, it’s a problem 
    • There were some similar issues on Fortigate last year – but this one is a giant blinking red light 
  • This is not linked to the Volt Typhoon campaign
    • But that campaign is a Microsoft naming convention 
    • They create weather-related names 
    • That was reported last month on a group that’s hanging around and gaining persistence 
    • But they are saying they haven’t seen this campaign tied to this one
      • Do we know what IOCs they’re looking at?
        • C2 communication
  • What are the mitigations?
    • Shut the service off and patch it
    • There was responsible disclosure from the researchers who found this

No Patch, No Cry

  • We’re going to take a dive into Brian Krebs’ article on Barracuda’s plea to replace affected hardware rather than patching it
  • Who is Barracuda?
    • Folks of a certain age (cough, cough) might recall radio ads for the Barracuda Spam Firewall way back in the late 90s, early 00’s
    • It was an interesting demand generation approach, hitting a consumer audience for what is essentially a B2B sale
    • But they did a great job building awareness. Anyway, they weren’t the first anti-spam product, but they’re one of the most enduring and best-known
    • These appliances sit on or near a network edge and proxy SMTP traffic on its way to the company’s mail servers
    • The Barracuda box applies various kinds of filters and heuristics to determine which messages to keep, which to drop, which to quarantine, etc. 
  • This is a unique case – there have been severe vulnerabilities in security appliances and applications, but they’ve been patchable—even sometimes for products that were long past end-of-life, if the situation was severe enough
  • The attackers have been exploiting the vulnerability since October 2022 – was there just a misstep on the attackers’ part that they were finally discovered in May of this year?
    • We don’t have details—at least not in the reporting that I’ve read—on specifically how Barracuda discovered the malicious activity
    • One thing they did do is that they engaged Mandiant pretty much immediately. That was definitely a good decision
  • Barracuda is saying that the Email Security Gateway (ESG) appliance should be replaced, but no other Barracuda products were impacted. With the drastic measure of physically removing hardware, how can people still trust other solutions aren’t impacted?
    • We think the issue is that it would appear that the firmware in these physical boxes is so completely corrupted that there’s no way to remotely (i.e. via a patch) restore them safely. That’s a different matter for a cloud service
    • But it could also be that for whatever reason, the actors in this case specifically wanted to go after the hardware appliances
  • Nicholas Weaver, a researcher at the International Computer Science Institute – is cited in this stating that this is not a ransomware actor, it’s a state actor
    • It’s a combination of the high amount of skill involved in pulling off an attack like this, and the fact that the tradecraft is different from a ransomware actor
    • Ransomware gangs want to get in, steal the data, lock up the machines, collect payment, and move on
    • So they don’t care so much about persistence. An espionage-motivated actor has a different set of objectives, and stealthy persistence is high on that list

This Week’s Hoodie/Goodie Scale

Fire in the Wall

[Taylor]: 6.83/10 Hoodies
[Tim]: 5/10 Hoodies

No Patch, No Cry

[Taylor]: 7/10 Hoodies
[Tim]: 7.5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!