08/23/2023-08/30/2023 Malicious Rust Libraries, Barracuda Email Gateways Vulnerable, Malicious npm Packages Target Roblox And More.

1. Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel

Malicious packages were found on Rust’s crate registry, uploaded from August 14 to 16, 2023, by user “amaperf,” according to Phylum. The removed packages included postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. These modules aimed to collect OS info and send it to a Telegram channel, implying early-stage infiltration. The attacker likely sought to compromise developer machines for future rogue updates. Developers are prime targets due to access to keys, infrastructure, and IP. This echoes past supply chain attacks on crates.io, like CrateDepression in 2022. Phylum also revealed an npm package, emails-helper, exfiltrating data and deploying attack tools via HTTP and DNS. Vigilance during software activities is crucial.

2. Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches

The FBI warns that despite patches, Barracuda Networks Email Security Gateway (ESG) appliances remain vulnerable to Chinese hacking groups, calling fixes “ineffective.” The CVE-2023-2868 flaw, present from October 2022, allows unauthorized admin-level command execution in ESG 5.1.3.001 to 9.2.0.006. The China-linked UNC4841 activity cluster uses this breach to deploy multiple malware types like SALTWATER, SEASIDE, and more, enabling data exfiltration and persistence. The FBI advises replacing compromised ESG devices and scanning for suspicious traffic. Barracuda recommends replacement for impacted customers, offering no-cost replacements to affected ESG devices. Devices showing notifications indicate compromise, but only a subset of ESG appliances were impacted.

3. WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

The WinRAR flaw, CVE-2023-38831, exploited since April 2023, lets attackers trick users into running malicious scripts disguised as image or text files within archives. Group-IB discovered attacks in July via manipulated ZIP/RAR files on trading forums like Forex Station. Malware such as DarkMe, GuLoader, and Remcos RAT is distributed, targeting traders. Up to 130 devices have been compromised, allowing cybercriminals to access broker accounts. The exploit creates a deceptive archive with an image and script that triggers further stages, evading suspicion. The attacks have spanned various locations, targeting no specific industry or country. DarkMe is linked to EvilNum, tied to DarkCasino’s 2022 phishing campaign. GuLoader delivers Remcos RAT from a remote server using this technique.

4. Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw

Thousands of Openfire XMPP servers remain vulnerable to CVE-2023-32315, allowing unauthenticated attackers to access privileged pages. Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire’s administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users. It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0.  While public exploits create admin users to upload code, VulnCheck’s method is quieter, extracting JSESSIONID and CSRF token from ‘plugin-admin.jsp’ for uploading a JAR plugin. This approach avoids audit logs, leaving few traces. Active exploitation has been observed, including by the Kinsing crypto botnet. It’s advised to update Openfire servers to versions 4.6.8, 4.7.5, or 4.8.0 to counter this threat.

5. Attacks on Citrix NetScaler Systems Linked to Ransomware Actor

Linked to FIN8, a threat actor targets unpatched Citrix NetScaler systems via CVE-2023-3519, executing domain-wide attacks. Monitored by Sophos since August, the actor injects payloads, employs BlueVPS malware, deploys obfuscated PowerShell scripts, and places PHP webshells on victims’ devices. Similarities to a previous attack led analysts to connect the two, identifying the threat actor as ransomware-focused.

Citrix suffered from the actively exploited CVE-2023-3519 code injection flaw in its NetScaler ADC and Gateway products. Despite a July 18th patch release, evidence showed cybercriminals selling exploits since July 6th. Thousands of compromised Citrix servers with injected payloads were discovered. A threat actor known as ‘STAC4663’ was tracked exploiting the flaw, possibly linked to FIN8 and the BlackCat/ALPHV ransomware campaign. The recent payload, injected into “wuauclt.exe” or “wmiprvse.exe,” hints at ransomware. Over 31,000 vulnerable Citrix instances remained even after a month of patch availability.