08/02/2023-08/09/2023 Citrix NetScaler ADC and Gateway Servers Hacked, Microsoft Releases Patches for 74 New Vulnerabilities, New SkidMap Linux Malware Variant And More.

1. Microsoft Releases Patches for 74 New Vulnerabilities in August Update

Microsoft has addressed 74 software flaws in its August 2023 Patch Tuesday, down from 132 last month. The update includes six Critical, 67 Important, and one Moderate severity vulnerabilities. Also released are defense-in-depth updates for Microsoft Office and the Memory Integrity System Readiness Scan Tool. Notably, the update addresses CVE-2023-36884, an actively exploited remote code execution flaw by the RomCom threat actor in attacks on Ukraine and pro-Ukraine targets. Additionally, Microsoft patched remote code execution and spoofing vulnerabilities in various services including Microsoft Message Queuing, Microsoft Teams, and Azure components. The update also covers denial-of-service and information disclosure flaws, alongside Exchange Server vulnerabilities, requiring adjacent attack vectors for exploitation.

2. Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining

Malicious actors are exploiting exposed Kubernetes (K8s) clusters for crypto mining and backdoor deployment. Cloud security firm Aqua’s report reveals these attacks, primarily targeting small to medium-sized organizations and some larger companies in finance, aerospace, and more. Over 350 Kubernetes clusters were found, with 60% hit by active crypto mining. Misconfigurations, like granting anonymous high privileges and improper kubectl proxy settings, allow unauthorized access. These clusters can hold sensitive data, making them enticing targets. Security researchers identified ongoing campaigns, including Dero cryptojacking, RBAC Buster, and TeamTNT’s Silentbob. Despite the risk, these misconfigurations persist, underlining a broader Kubernetes security understanding and management gap.

3. New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers

Vulnerable Redis services are under attack by an evolved malware named SkidMap, targeting various Linux distributions including Alibaba, CentOS, RedHat, and more. The malware adapts to the system it infects, making detection difficult. Originally a crypto mining botnet, SkidMap deploys kernel modules to obscure its actions, conceals its C2 IP address in the Bitcoin blockchain, and fetches real-time data for rapid pivoting. Trustwave details the latest attack chain, beginning with breaching Redis servers to distribute an ELF binary posing as a GIF image. This binary adds SSH keys, establishes reverse shells, downloads distribution-specific packages, deploys rootkits, and launches a botnet for further attacks. The malware’s sophistication makes detection challenging, primarily noticeable through increased fan activity or case temperature.

4. Researchers Uncover New High-Severity Vulnerability in PaperCut Software

A significant security flaw (CVE-2023-39143, CVSS score: 8.4) has been found in PaperCut print management software for Windows. It can lead to remote code execution when combined with path traversal and file upload vulnerabilities. The flaw affects PaperCut NG/MF versions earlier than 22.1.3. Attackers, particularly when the external device integration setting is enabled, could upload files and execute code. This exploit is more intricate than previous vulnerabilities (CVE-2023-27350) and doesn’t demand prior privileges. Iranian state actors have been involved in exploiting related vulnerabilities. PaperCut version 22.1.3 also fixes another flaw allowing unauthorized file uploads and potential denial-of-service (CVE-2023-3486, CVSS score: 7.4).

5. Malicious npm Packages Found Exfiltrating Sensitive Data from Developers

Researchers have identified malicious npm packages aimed at extracting sensitive developer information. Software supply chain company Phylum discovered these “test” packages on the npm registry and noted they were quickly removed and re-uploaded under different names. Although the motive behind this campaign isn’t fully clear, the references to modules like “rocketrefer” and “binarium” suggest a possible focus on the cryptocurrency sector. Published by the npm user “malikrukd4732,” these modules execute JavaScript code to exfiltrate data to a remote server during installation. This approach allows for potential theft of credentials and intellectual property. This incident joins the growing trend of open-source repositories being used to propagate malicious code.

6. Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack

Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023. The disclosure comes as GreyNoise said it detected three IP addresses attempting to exploit CVE-2023-24489 (CVSS score: 9.1), another critical flaw in Citrix ShareFile software that allows for unauthenticated arbitrary file upload and remote code execution. The issue has been addressed in ShareFile storage zones controller version 5.11.24 and later.The Shadowserver Foundation, in an update said it identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online and that CVE-2023-3519 is being exploited to drop PHP web shells on vulnerable servers for remote access.