• Ivanti Releases Security Updates for EPMM to address CVE-2023-35081
• Macs under attacks from password-stealing malware — how to stay safe
• Apple Releases Security Updates for Multiple Products
• CISA Releases Malware Analysis Reports on Barracuda Backdoors
_______________________________________________
Ivanti Releases Security Updates for EPMM to address CVE-2023-35081
Situation:
Ivanti has identified and released patches for a directory traversal vulnerability (CVE-2023-35081, CWE-22) in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. This vulnerability affects supported EPMM versions 11.10, 11.9, and 11.8. Older, unsupported versions are also affected.
Problem:
This vulnerability allows an attacker with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. To gain EPMM administrator privileges, the attacker could exploit CVE-2023-35078 on an unpatched system.
Implication:
Ivanti Endpoint Manager Mobile (EPMM) through 11.10 allows remote attackers to obtain PII, add an administrative account, change the configuration because of an authentication bypass, and execute an uploaded file, for example, a web shell.
Need:
CISA urges users and organizations to patch both CVE-2023-35081 and CVE-2023-35078. Patches for CVE-2023-35081 also include patches for CVE-2023-35078.
Additional Resources:
Ivanti Releases Security Updates for EPMM to address CVE-2023-35081:
https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081
Ivanti Releases Security Updates for Endpoint Manager Mobile (EPMM) CVE-2023-35078:
https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078
CVE-2023-35081 – Remote Arbitrary File Write:
https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US
CVE-2023-35078 Detail:
https://nvd.nist.gov/vuln/detail/CVE-2023-35078
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’):
https://cwe.mitre.org/data/definitions/22.html
________________________________________
Macs under attacks from password-stealing malware — how to stay safe
Situation:
Tom’s Guide releases and article addressing new Mac malware issue and how to remediate.
Problem:
Hackers have launched a massive campaign that uses new Mac malware named “Realst” to target vulnerable Apple computers.
Implication:
Although there are 16 different variants of the Realst malware, they all target popular browsers like Firefox, Chrome, Opera, Brave Vivaldi and the Telegram app. The Realst malware is able to steal passwords, cookies and other sensitive data stored in a user’s browser, but it also goes after any passwords saved in Apple Keychain which is the iPhone maker’s own password manager.
Need:
Avoid downloading sketchy games online. However, once other cybercriminals begin deploying Realst in their attacks this could change.
For this reason, you want to be extremely careful when downloading new programs for your Mac. You’re better off finding new programs for your Mac from Apple’s App Store instead of downloading and installing them manually from wherever you find them.
Additional Resources:
Macs under attack from password-stealing malware — how to stay safe
https://www.tomsguide.com/news/macs-under-attacks-from-password-stealing-malware-how-to-stay-safe
________________________________________
Apple Releases Security Updates for Multiple Products
Situation:
Apple has released security updates to address vulnerabilities in multiple products.
CISA encourages users and administrators to review the following advisories and apply the necessary updates.
- iOS 16.6 and iPadOS 16.6
- iOS 15.7.8 and iPadOS 15.7.8
- macOS Ventura 13.5
- macOS Monterey 12.6.8
- macOS Big Sur 11.7.9
- Safari 16.6
- tvOS 16.6
- watchOS 9.6
Problem:
Out of date Apple OS devices are potentially exploited by malicious actors.
Implication:
An attacker could exploit some of these vulnerabilities to take control of an affected device.
Need:
Please update your devices to prevent malicious actors from taking control.
Additional Resources:
Apple Releases Security Updates for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/07/25/apple-releases-security-updates-multiple-products
_________________________________________
CISA Releases Malware Analysis Reports on Barracuda Backdoors
Situation:
CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006.
Problem:
The vulnerability was exploited as a zero day as early as October 2022 to gain access to ESG appliances.
Implication:
According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.
Need:
Use the Malware Analysis Reports in Additional Resources to find indicators of compromise and YARA rules for detection, on the exploit payload, SEASPY, and SUBMARINE backdoor. Remove any malicious activity you find.
Additional Resources:
CISA Releases Malware Analysis Reports on Barracuda Backdoors:
https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors
MAR-10454006-r3.v1 Exploit Payload Backdoor:
https://www.cisa.gov/news-events/analysis-reports/ar23-209c
MAR-10454006-r2.v1 SEASPY Backdoor:
https://www.cisa.gov/news-events/analysis-reports/ar23-209b
MAR-10454006-r1.v2 SUBMARINE Backdoor:
https://www.cisa.gov/news-events/analysis-reports/ar23-209a