Latest WinRAR, Drupal flaws under active exploitation
CVE-2018-20250, a WinRAR vulnerability that allows attackers to extract a malicious executable to one of the Windows Startup folder to be executed every time the system is booted, and CVE-2019-6340, the remote execution flaw affecting the popular Drupal CMS, have been spotted being exploited by attackers.
PoC attack code for both has been released shortly after their public disclosure and didn’t take long for attackers to adjust and use them.
Attacks on WinRAR users
Active exploitation of the WinRAR vulnerability was flagged on Monday by the 360 Threat Intelligence Center. The delivered malware appears to be a downloader Trojan.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D— 360 Threat Intelligence Center (@360TIC) February 25, 2019
Check Point’s detailed technical report accompanying the vulnerability disclosure and exploit code published on GitHub have apparently not gone unnoticed.
WinRAR users would do well to update their software to WinRAR 5.70 Beta 1 or later to protect themselves. Alternatively, they can temporarily switch to using another file archiver utility or avoid decompressing archive files they aren’t sure are safe.
Attacks on Drupal-based sites
Imperva researchers revealed on Monday that attackers are targeting Drupal-based websites and delivering a shell uploader and a Javascript cryptocurrency miner named CoinIMP.
They noted that the attackers are using an exploit was published a day after the vulnerability was unveiled, and which continues to work even after following the Drupal team’s proposed remediation of disabling all web services modules and banning PUT/PATCH/POST requests to web services resources.”
“Despite the fix, it is still possible to issue a GET request and therefore perform remote code execution as was the case with the other HTTP methods,” they warned. Users should, therefore, update their Drupal installations to close the security hole.
The attacks originated from several attackers and countries and targeted a variety of websites, Imperva shared.
Unlike previous Drupal vulnerabilities, though, this one only affects a relatively small percentage of Drupal users: those who use Drupal 8 AND have a specific combination of web services modules enabled.