08/23/2023-08/30/2023 Malicious Rust Libraries, Barracuda Email Gateways Vulnerable, Malicious npm Packages Target Roblox And More.

1. Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel

Malicious packages were found on Rust’s crate registry, uploaded from August 14 to 16, 2023, by user “amaperf,” according to Phylum. The removed packages included postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. These modules aimed to collect OS info and send it to a Telegram channel, implying early-stage infiltration. The attacker likely sought to compromise developer machines for future rogue updates. Developers are prime targets due to access to keys, infrastructure, and IP. This echoes past supply chain attacks on crates.io, like CrateDepression in 2022. Phylum also revealed an npm package, emails-helper, exfiltrating data and deploying attack tools via HTTP and DNS. Vigilance during software activities is crucial.

2. Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches

The FBI warns that despite patches, Barracuda Networks Email Security Gateway (ESG) appliances remain vulnerable to Chinese hacking groups, calling fixes “ineffective.” The CVE-2023-2868 flaw, present from October 2022, allows unauthorized admin-level command execution in ESG 5.1.3.001 to 9.2.0.006. The China-linked UNC4841 activity cluster uses this breach to deploy multiple malware types like SALTWATER, SEASIDE, and more, enabling data exfiltration and persistence. The FBI advises replacing compromised ESG devices and scanning for suspicious traffic. Barracuda recommends replacement for impacted customers, offering no-cost replacements to affected ESG devices. Devices showing notifications indicate compromise, but only a subset of ESG appliances were impacted.

3. WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

The WinRAR flaw, CVE-2023-38831, exploited since April 2023, lets attackers trick users into running malicious scripts disguised as image or text files within archives. Group-IB discovered attacks in July via manipulated ZIP/RAR files on trading forums like Forex Station. Malware such as DarkMe, GuLoader, and Remcos RAT is distributed, targeting traders. Up to 130 devices have been compromised, allowing cybercriminals to access broker accounts. The exploit creates a deceptive archive with an image and script that triggers further stages, evading suspicion. The attacks have spanned various locations, targeting no specific industry or country. DarkMe is linked to EvilNum, tied to DarkCasino’s 2022 phishing campaign. GuLoader delivers Remcos RAT from a remote server using this technique.

4. Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw

Thousands of Openfire XMPP servers remain vulnerable to CVE-2023-32315, allowing unauthenticated attackers to access privileged pages. Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire’s administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users. It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0.  While public exploits create admin users to upload code, VulnCheck’s method is quieter, extracting JSESSIONID and CSRF token from ‘plugin-admin.jsp’ for uploading a JAR plugin. This approach avoids audit logs, leaving few traces. Active exploitation has been observed, including by the Kinsing crypto botnet. It’s advised to update Openfire servers to versions 4.6.8, 4.7.5, or 4.8.0 to counter this threat.

5. Attacks on Citrix NetScaler Systems Linked to Ransomware Actor

Linked to FIN8, a threat actor targets unpatched Citrix NetScaler systems via CVE-2023-3519, executing domain-wide attacks. Monitored by Sophos since August, the actor injects payloads, employs BlueVPS malware, deploys obfuscated PowerShell scripts, and places PHP webshells on victims’ devices. Similarities to a previous attack led analysts to connect the two, identifying the threat actor as ransomware-focused.

Citrix suffered from the actively exploited CVE-2023-3519 code injection flaw in its NetScaler ADC and Gateway products. Despite a July 18th patch release, evidence showed cybercriminals selling exploits since July 6th. Thousands of compromised Citrix servers with injected payloads were discovered. A threat actor known as ‘STAC4663’ was tracked exploiting the flaw, possibly linked to FIN8 and the BlackCat/ALPHV ransomware campaign. The recent payload, injected into “wuauclt.exe” or “wmiprvse.exe,” hints at ransomware. Over 31,000 vulnerable Citrix instances remained even after a month of patch availability.

08/16/2023-08/23/2023 Critical Adobe ColdFusion Flaw, Malicious npm Packages, Critical Zero-Day Flaw Being Actively Exploited And More.

1. Over a Dozen Malicious npm Packages Target Roblox Game Developers

More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber. The malicious packages [...] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions. 

The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows:

• noblox.js-vps (versions 4.14.0 to 4.23.0)
• noblox.js-ssh (versions 4.2.3 to 4.2.5)
• noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

This is not the first time Luna Token Grabber has been spotted in the wild. Earlier this June, Trellix disclosed details of a new Go-based information stealer called Skuld that overlaps with the malware strain.

2. Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software

Software services provider Ivanti has issued a warning about a critical zero-day vulnerability affecting Ivanti Sentry (formerly MobileIron Sentry), currently being exploited in the wild. Tracked as CVE-2023-38035, the flaw allows unauthenticated access to sensitive APIs, enabling unauthorized users to change configurations, execute system commands, and write files onto the system. Although the vulnerability has a high CVSS score of 9.8, the risk of exploitation is low for clients not exposing port 8443 to the internet. Mnemonic, a Norwegian cybersecurity firm, discovered and reported the flaw, which can be weaponized in conjunction with other recently disclosed vulnerabilities if port 8443 is inaccessible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog.

3. Critical Adobe ColdFusion Flaw Added to CISA’s Exploited Vulnerability Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction. Deserialization  refers to the process of reconstructing a data structure or an object from a byte stream. But when it’s performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS). It was patched by Adobe as part of updates issued in March 2023. As of writing, it’s immediately not clear how the flaw is being abused in the wild.

4. New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC

A significant security flaw in WinRAR has been revealed, allowing potential remote code execution on Windows systems. Tracked as CVE-2023-40477 with a CVSS score of 7.8, the vulnerability arises from improper validation when processing recovery volumes. This could lead to memory access beyond allocated buffers, permitting an attacker to execute code within the current process. Exploiting the flaw necessitates user interaction, luring them to a malicious page or an infected archive file. Discovered by security researcher “goodbyeselene” on June 8, 2023, the issue was resolved in WinRAR 6.23, released on August 2, 2023. Users should update to the latest version to mitigate potential risks.

5. New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

A new financially-driven operation named LABRAT has exploited a patched critical vulnerability in GitLab for cryptojacking and proxyjacking. This campaign employs stealthy cross-platform malware, kernel-based rootkits, and legitimate services like TryCloudflare to obfuscate its presence. The attackers also use compiled binaries in Go and .NET to remain hidden while providing backdoor access to compromised systems, potentially leading to further attacks, data theft, and ransomware. The attack chain exploits CVE-2021-22205 for remote code execution, followed by retrieving a dropper shell script from a C2 server. The attackers utilize TryCloudflare and a Solr server for covert communication and privilege escalation. Payloads include utilities for remote access and cryptojacking, all aimed at financial gain. GitLab has patched the vulnerability, urging affected users to follow security protocols.

6. CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited, could allow an unauthenticated attacker to compromise vulnerable instances remotely. The problem is rooted in ShareFile’s handling of cryptographic operations, enabling adversaries to upload arbitrary files, resulting in remote code execution. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. The incident affected less than 3% of its install base (2,800 customers), that there was no data theft observed.

08/09/2023-08/16/2023 New Python URL Parsing Flaw, 16 New CODESYS SDK Flaws, .NET Vulnerability And More.

1. Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability

Nearly 2,000 Citrix NetScaler instances have been compromised with a backdoor by weaponizing a recently disclosed critical security vulnerability as part of a large-scale attack. An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access. CVE-2023-3519 refers to a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could lead to unauthenticated remote code execution. It was patched by Citrix last month. The development comes a week after the Shadowserver Foundation said it identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online and the flaw is being abused to drop PHP web shells on vulnerable servers for remote access. 

2. New Python URL Parsing Flaw Could Enable Command Execution Attacks

A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution.
urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.

The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS score of 7.5. CVE-2023-24329 arises as a result of a lack of input validation, thereby leading to a scenario where it’s possible to get around blocklisting methods by supplying a URL that starts with blank characters (e. g., “ https://youtube[.]com‘).

3. North Korean Hackers Suspected in New Wave of Malicious npm Packages

The npm package registry faces a new targeted attack campaign, mirroring a previous North Korean-linked incident. Around nine malicious packages were uploaded between August 9 and 12, 2023, suggesting a sophisticated and socially engineered attack. Initial execution is triggered by a postinstall hook in the package.json file, launching a pm2-dependent daemon process to run a spoofed RustDesk domain, initiating encrypted communication with a remote server. The malware awaits further instructions every 45 seconds, controlled by monitoring machine GUIDs. This development coincides with a typosquat Ethereum package, GDPR issues from the Moq NuGet package’s recent versions, and a rising susceptibility to dependency confusion attacks, highlighting increased supply chain vulnerabilities.
As mitigations against dependency confusion attacks, it’s recommended to publish internal packages under organization scopes and reserve internal package names in the public registry as placeholders to prevent misuse.

4. Multiple Flaws in CyberPower and Dataprobe Products Put Data Centers at Risk

CyberPower’s PowerPanel Enterprise DCIM and Dataprobe’s iBoot PDU exhibit serious vulnerabilities (CVE-2023-3259 through CVE-2023-3267) with scores ranging from 6.7 to 9.8. These flaws enable unauthorized entry, allowing attackers to shut down data centers, breach data, and launch large-scale attacks. Exploiting these could cause catastrophic damage and grant complete system access. These vulnerabilities have been fixed in PowerPanel Enterprise 2.6.9 and Dataprobe iBoot PDU 1.44.08042023 versions. Threat actors could employ these issues to cripple critical infrastructure, perpetrate ransomware, DDoS, or wiper attacks, and engage in cyber espionage. The interconnected nature of modern systems makes prompt security measures crucial to prevent potential breaches and attacks.

5. Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

E-commerce websites utilizing Adobe’s Magento 2 software are under an ongoing attack named Xurum by Akamai, traced back to Russian actors. Leveraging a patched security flaw (CVE-2022-24086), the attackers aim for arbitrary code execution. The campaign’s scale is uncertain, but it focuses on recent payment data from the past 10 days. Compromised sites host a web shell called wso-ng, activated by a specific cookie, exfiltrating sales order payment methods. A rogue admin user “mageworx” or “mageplaza” is added to disguise their actions. This meticulous attack exhibits expertise in Magento, indicating a deliberate and targeted effort, distinct from widespread exploits.

6. 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks

A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.

The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS). The remote code execution bugs  could be abused to backdoor OT devices and interfere with the functioning of programmable logic controllers (PLCs) in a manner that could pave the way for information theft. To get past the user authentication barrier, a known vulnerability (CVE-2019-9013, CVSS score: 8.8) is employed to steal credentials by means of a replay attack against the PLC, followed by leveraging the flaws to trigger a buffer overflow and gain control of the device.

7. CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft’s .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio. While exact details surrounding the nature of exploitation are unclear, the Windows maker has acknowledged the existence of a proof-of-concept (PoC) in its advisory. It also said that attacks leveraging the flaw can be pulled off without any additional privileges or user interaction. Affected versions of the software include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, Microsoft Visual Studio 2022 version 17.4, and Microsoft Visual Studio 2022 version 17.6.