Security Advisory for the week ending May 19, 2023

Situation:
According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.

Problem:
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.

Implication:
An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM.

Need:
Upgrade PaperCut to the latest version.
If unable to immediately patch, ensure vulnerable PaperCut servers are not accessible over the internet and implement one of the following network controls:
Option 1: External controls: Block all inbound traffic from external IP addresses to the web management portal (port 9191 and 9192 by default).
Option 2: Internal and external controls: Block all traffic inbound to the web management portal. Note: The server cannot be managed remotely after this step.

Additional Resources:

CISA Write-Up: (link)

Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG: (link)

NIST NVD: (link)

Situation:
Palo Alto Networks has published two new Security Advisories regarding CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface and CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface

Problem:
CVE-2023-0007 PAN-OS: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed.

CVE-2023-0008 PAN-OS: A file disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to export local files from the firewall through a race condition.

Implication:
An attacker could exploit these vulnerabilities and cause harm to a companies network infrastructure

Need:
These issues require the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of the issues by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation below in Best Practices.

Additional Resources:

Palo Alto Networks Security Advisories (link)

CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (link)

CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (link)

Best Practices (link)

Situation:
Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

Problem:
Microsoft has found multipe vulnerabilities in their software.

Implication:
An attacker can exploit some of these vulnerabilities to take control of an affected system.

Need:
CISA encourages users and administrators to review Microsoft’s May 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Additional Resources:

May 2023 Security Updates – Release Notes – Security Update Guide – Microsoft (link)

Deployment information (link)

Microsoft Releases May 2023 Security Updates (link)

Situation:
Mozilla has released security advisories to address the recent vulnerabilities released on May 9th, 2023 regarding vulnerabilities for Firefox and Firefox ESR.

Problem:
Mozilla has addressed that Firefox and Firefox ESR have vulnerabilities regarding to:

• Browser prompts are obscured by popups
• Crashes in the RLBox Expat driver
• Permission requests bypassed by clickjacking
• Leak of script base URLs in service workers when importing
• Persistent DoS by favicon image
• Content process crash due to invalid wasm code
• Memory safety bugs due to memory corruption

Implication:
These vulnerabilities can be exploited by threat actors that can harm your devices and networks.

Need:
We encourage everyone to review these advisories and apply the necessary updates to address these security vulnerabilities.

Additional Resources:

Mozilla Releases Security Advisories for Multiple Products: (link)

Mozilla Foundation Security Advisory 2023-16: (link)

Mozilla Foundation Security Advisory 2023-17: (link)

Mozilla Foundation Security Advisories: (link)

Situation:
CISA and partners released a joint advisory for a sophisticated cyber espionage tool “Snake Malware” used by Russian cyber actors.

Problem:
We consider Snake to be the most sophisticated cyber espionage tool in the Russia’s Federal Security Service (FSB) arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.

The Snake infrastructure has been identified in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature.

Implication:
Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country.

The FSB typically deploys Snake to external-facing infrastructure nodes on a network, and from there uses other tools and TTPs on the internal network to conduct additional exploitation operations. Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. A wide array of mechanisms has been employed to gather user and administrator credentials in order to expand laterally across the network, to include keyloggers, network sniffers, and open source tools.

Typically, after FSB operators map out a network and obtain administrator credentials for various domains in the network, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. FSB operators sometimes deploy a small remote reverse shell along with Snake to enable interactive operations. This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector, or to maintain a minimal presence in a network and avoid detection while moving laterally.

Need:
We urge organizations to review the advisory for more information and apply the recommended mitigations and detection guidance. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.

Additional Resources:

Snake Malware overview including technical information and mitigation recommendations: (link)

Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure. (link)

Russia Cyber Threat Overview and Advisories (link)

Situation:
CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details.

Problem:
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

Implication:
FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.

Need:
Actions to take today to mitigate cyber threats from BianLian ransomware and data extortion:
• Strictly limit the use of RDP and other remote desktop services.
• Disable command-line and scripting activities and permissions.
• Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.

Additional Resources:

CISA and Partners Release BianLian Ransomware Cybersecurity Advisory: (link)
#StopRansomware: BianLian Ransomware Group: (link)
Visit https://www.cisa.gov/stopransomware to see all #StopRansomware advisories and learn more about other ransomware threats and no-cost resources.