08/16/2023-08/23/2023 Critical Adobe ColdFusion Flaw, Malicious npm Packages, Critical Zero-Day Flaw Being Actively Exploited And More.

1. Over a Dozen Malicious npm Packages Target Roblox Game Developers

More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber. The malicious packages [...] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions. 

The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows:

• noblox.js-vps (versions 4.14.0 to 4.23.0)
• noblox.js-ssh (versions 4.2.3 to 4.2.5)
• noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

This is not the first time Luna Token Grabber has been spotted in the wild. Earlier this June, Trellix disclosed details of a new Go-based information stealer called Skuld that overlaps with the malware strain.

2. Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software

Software services provider Ivanti has issued a warning about a critical zero-day vulnerability affecting Ivanti Sentry (formerly MobileIron Sentry), currently being exploited in the wild. Tracked as CVE-2023-38035, the flaw allows unauthenticated access to sensitive APIs, enabling unauthorized users to change configurations, execute system commands, and write files onto the system. Although the vulnerability has a high CVSS score of 9.8, the risk of exploitation is low for clients not exposing port 8443 to the internet. Mnemonic, a Norwegian cybersecurity firm, discovered and reported the flaw, which can be weaponized in conjunction with other recently disclosed vulnerabilities if port 8443 is inaccessible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog.

3. Critical Adobe ColdFusion Flaw Added to CISA’s Exploited Vulnerability Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction. Deserialization  refers to the process of reconstructing a data structure or an object from a byte stream. But when it’s performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS). It was patched by Adobe as part of updates issued in March 2023. As of writing, it’s immediately not clear how the flaw is being abused in the wild.

4. New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC

A significant security flaw in WinRAR has been revealed, allowing potential remote code execution on Windows systems. Tracked as CVE-2023-40477 with a CVSS score of 7.8, the vulnerability arises from improper validation when processing recovery volumes. This could lead to memory access beyond allocated buffers, permitting an attacker to execute code within the current process. Exploiting the flaw necessitates user interaction, luring them to a malicious page or an infected archive file. Discovered by security researcher “goodbyeselene” on June 8, 2023, the issue was resolved in WinRAR 6.23, released on August 2, 2023. Users should update to the latest version to mitigate potential risks.

5. New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

A new financially-driven operation named LABRAT has exploited a patched critical vulnerability in GitLab for cryptojacking and proxyjacking. This campaign employs stealthy cross-platform malware, kernel-based rootkits, and legitimate services like TryCloudflare to obfuscate its presence. The attackers also use compiled binaries in Go and .NET to remain hidden while providing backdoor access to compromised systems, potentially leading to further attacks, data theft, and ransomware. The attack chain exploits CVE-2021-22205 for remote code execution, followed by retrieving a dropper shell script from a C2 server. The attackers utilize TryCloudflare and a Solr server for covert communication and privilege escalation. Payloads include utilities for remote access and cryptojacking, all aimed at financial gain. GitLab has patched the vulnerability, urging affected users to follow security protocols.

6. CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited, could allow an unauthenticated attacker to compromise vulnerable instances remotely. The problem is rooted in ShareFile’s handling of cryptographic operations, enabling adversaries to upload arbitrary files, resulting in remote code execution. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. The incident affected less than 3% of its install base (2,800 customers), that there was no data theft observed.