10/11/2023-10/18/2023 New Admin Takeover Vulnerability, Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software, Malicious NuGet Package And More.

1. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could be exploited to decipher an administrator’s password and remotely hijack the account. The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The problem is rooted in the fact that the software uses a weak random number generator that relies on the JavaScript Math.random() method to programmatically construct the admin password for the network-attached storage (NAS) device. Referred to as insecure randomness, it arises when a function that can produce predictable values, or doesn’t have enough entropy, is used as a source of randomness in a security context, enabling an attacker to crack the encryption and defeat the integrity of sensitive information and systems. Successful exploitation of such flaws, therefore, could allow the threat actor to predict the generated password and gain access to otherwise restricted functionality.

2. Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software

Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. A brief description of the two flaws is as follows –

• CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
• CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances.

A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

3. Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers

A severe flaw in Milesight industrial cellular routers, tracked as CVE-2023-43261 with a CVSS score of 7.5, has been discovered and may have been exploited in real-world attacks. This vulnerability, affecting several router models, allows unauthorized access to sensitive information and could lead to the configuration of VPN servers and firewall protection removal. Evidence suggests that the flaw has been used on a small scale in the wild, with the attacker successfully authenticating on some systems using credentials extracted from httpd.log. Around 5% of internet-exposed Milesight routers are vulnerable to this issue, and the advice is to assume all credentials have been compromised and generate new ones while ensuring no interfaces are accessible from the internet to mitigate the risk.

4. Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

 A malicious NuGet package, mimicking a legitimate one, has been discovered delivering the SeroXen RAT. While the genuine package had nearly 79,000 downloads, the malicious version artificially inflated its download count to over 100,000. The threat actor published six other packages, with four posing as crypto service libraries for Kraken, KuCoin, Solana, and Monero but actually deploying SeroXen RAT. The attack occurs during installation through a PowerShell script that exploits deprecated behavior, allowing arbitrary commands. SeroXen RAT, available for $60, is a fileless RAT combining the functions of Quasar RAT, r77 rootkit, and NirCmd. The discovery highlights the exploitation of open-source ecosystems by attackers.

5. Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

In its October 2023 Patch Tuesday updates, Microsoft addressed 103 software vulnerabilities, including 13 Critical and 90 Important flaws, along with 18 in its Chromium-based Edge browser since September. Two zero-day vulnerabilities are of particular concern:

• CVE-2023-36563 (CVSS score: 6.5) – An information disclosure flaw in Microsoft WordPad, potentially leaking NTLM hashes.
• CVE-2023-41763 (CVSS score: 5.3) – A privilege escalation vulnerability in Skype for Business that could expose sensitive data, such as IP addresses and port numbers, granting access to internal networks.

Additionally, multiple vulnerabilities affecting Microsoft Message Queuing and Layer 2 Tunneling Protocol were fixed, which could lead to remote code execution and denial-of-service. A privilege escalation bug in Windows IIS Server (CVE-2023-36434) was addressed. An update for CVE-2023-44487 was released to mitigate HTTP/2 Rapid Reset attacks. Microsoft also deprecated Visual Basic Script, which has been exploited for malware distribution, and it will be removed from future Windows releases.

 

6. ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

Threat actors behind ShellBot are infiltrating poorly managed Linux SSH servers using hexadecimal IP addresses. They have altered their method of deploying ShellBot from a regular IP address to a hexadecimal value, aiming to avoid URL-based detection. ShellBot, also known as PerlBot, exploits servers with weak SSH credentials through dictionary attacks, serving as a conduit for DDoS attacks and cryptocurrency miners. The malware communicates with a command-and-control (C2) server via the IRC protocol. This change indicates ShellBot’s continued use for Linux system attacks. To counter this, users are advised to employ strong, regularly changed passwords to resist brute-force and dictionary attacks. Additionally, attackers are using abnormal certificates with exceptionally long strings in an attempt to distribute information-stealing malware. These malicious pages, often linked to illegal software, pose a threat to a wide range of users.