The U.S. Cybersecurity and Infrastructure Security Agency (CISA), way back in November, 2021, issues a “binding operational directive” that requires operators to patch against all known bad stuff. There’s a deadline coming up August 10 for a couple of “Common Vulnerabilities and Exposures” (CVEs).
I guess it’s no surprise that Cold Fusion websites are still out there. It’s still a supported Adobe product. For those running this somewhat ancient framework, there are problems and upgrades needed:
CISA warns govt agencies to patch Adobe ColdFusion servers
Government and some Fortune 100’s use ColdFusion. Apparently a whopping 0.3% of the servers where we can identify what they’re running are running ColdFusion. According to another article, there are 17 million Javascript programmers, and only 18,000 ColdFusion programmers.
The government IT people responsible for these Cold Fusion servers have until August 10 to comply with the directive. CISA is also warning private companies to upgrade.
The flaw in Cold Fusion involves two CVEs: CVE-2023-29298 and CVE-2023-38205
Adobe supposedly fixed these July 11, but a group Rapid7 identified continuing problems then and again on July 17.
Malware Disguised as Google Chatbot/AI Tools
Here’s an article over on the Hacker News:
Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities
A new malware, Bundlebot, is taking advantage of .NET’s single-file application approach. It’s being distributed through Facebook ads for utilities and AI tools. This leads the user to a website that looks like Google Bard. The user is encouraged to download a RAR file, Google_AI.rar, which is hosted on legitimate file services such as Dropbox.
“The delivering method via Facebook Ads and compromised accounts is something that has been abused by threat actors for a while, still combining it with one of the capabilities of the revealed malware (to steal a victim’s Facebook account information) could serve as a tricky self-feeding routine”
Once the user unpacks the RAR file, there’s a set of programs nested like Matrushka dolls. The first layer is a file GoogleAI.exe. It contains GoogleAI.dll, which fetches a password protected file from Google Drive. This file is another .NET single file application, RiotClientServices.exe. This is starting to sound bad.
RiotClientServices.exe contains the BundleBot payload, as well as a Command and Control client “LirarySharing.dll” (sic):
“The assembly RiotClientServices.dll is a custom, new stealer/bot that uses the library LirarySharing.dll to process and serialize the packet data that are being sent to C2 as a part of the bot communication”
MalwareBytes Discovers Fake Facebook Ads Managers
Just barely getting a mention at the end of the article, Malwarebytes has detected another way of getting at people’s Facebook logins. The article is here.
Have a great week!