03/16/2023-03/23/2023 Rogue NuGet Packages Infect .NET Developers, New ShellBot DDoS Malware Variants, Adobe ColdFusion Vulnerability Exploited in the Wild And More

1. CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems

 CISA has released eight Industrial Control Systems (ICS) advisories, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. This includes 13 security vulnerabilities in Delta Electronics’ InfraSuite Device Master, a real-time device monitoring software. All versions prior to 1.0.5 are affected by the issues. Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code. At the top of the list is CVE-2023-1133 (CVSS score: 9.8), a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content, thereby allowing an unauthenticated remote attacker to execute arbitrary code.

2. Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware

The NuGet repository is the target of a new “sophisticated and highly-malicious attack” aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed. Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted for 166,000 downloads, although it’s also possible that the threat actors artificially inflated the download counts using bots to make them appear more legitimate. The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate packages, in order to trick developers into downloading them. 

3. New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

A new cyber attack campaign is targeting poorly managed Linux SSH servers using a malware called ShellBot. This DDoS Bot malware is written in Perl and communicates via IRC protocol. Hackers use scanner malware to identify servers with open SSH port 22 and weak credentials. They then initiate a dictionary attack using a list of known SSH credentials to breach the server and install the ShellBot payload. Once installed, ShellBot communicates with a remote server via IRC protocol, allowing it to carry out DDoS attacks and exfiltrate data. The attack campaign involves three different ShellBot versions, with the first two offering various DDoS attack commands using HTTP, TCP, and UDP protocols. The third version, PowerBots, offers backdoor-like capabilities such as granting reverse shell access and uploading arbitrary files from the compromised host. If ShellBot is installed, Linux servers can be used as DDoS bots to attack specific targets after receiving commands from the attackers.

4. CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. It’s worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL). While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it’s aware of the flaw being “exploited in the wild in very limited attacks.”

5. New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks

A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8). The malware, like other DDoS botnets of its kind, is capable of contacting a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
The findings also come as Microsoft revealed that TCP attacks emerged as the most frequent form of DDoS attack encountered in 2022, accounting for 63% of all attack traffic, followed by UDP floods and amplification attacks (22%), and packet anomaly attacks (15%).

6. NordVPN Open Sources Its Linux VPN Client And Libraries

Nord Security has released the source code of its Linux NordVPN client and networking libraries to increase transparency and address users’ security concerns. As part of this, the company has made its NordVPN MeshNet private tunneling feature free for all users who install their software, even if they do not have a paid subscription. This feature allows users to create private tunnels between other NordVPN users to access the internet through the shared network or access internal devices. NordVPN has released the source code for its Linux applications and two libraries, Libtelio and Libdrop, on its GitHub page, encouraging the coding community to scrutinize and improve its code. The company also offers a bug bounty program, with critical vulnerabilities receiving bounties ranging from $10,000 to $50,000

7. SAP Releases Security Updates Fixing Five Critical Vulnerabilities

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.
More specifically, the five flaws fixed this time are the following:

• CVE-2023-23857: Critical severity (CVSS v3: 9.8) information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50. The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API.
• CVE-2023-25616: Critical severity (CVSS v3: 9.9) code injection vulnerability in SAP Business Intelligence Platform, allowing an attacker to access resources only available to privileged users. 
• CVE-2023-27269: Critical severity (CVSS v3: 9.6) directory traversal problem impacting SAP NetWeaver Application Server for ABAP. 
• CVE-2023-27500: Critical severity (CVSS v3: 9.6) directory traversal in SAP NetWeaver AS for ABAP.
• CVE-2023-25617: Critical severity (CVSS v3: 9.0) command execution vulnerability in SAP Business Objects Business Intelligence Platform, versions 420 and 430.