Enlarge (credit: Getty Images)

Organizations big and small are once again scrambling to patch critical vulnerabilities that are already under active exploitation and cause the kind of breaches coveted by ransomware actors and nation-state spies.

The exploited vulnerabilities—one in Adobe ColdFusion and the other in various Citrix NetScaler products—allow for the remote execution of malicious code. Citrix on Tuesday patched the vulnerabilities, but not before threat actors exploited them . The most critical vulnerability, tracked as CVE-2023-3519, lurks in Citrix’s NetScaler ADC and NetScaler Gateway products. It carries a severity rating of 9.8 out of a possible 10 because it allows hackers to execute code remotely with no authentication required.

“This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” researchers from Rapid7, the security firm that detected the attacks, warned Tuesday .

Enlarge

The support team for 3CX, the VoIP/PBX software provider with more than 600,000 customers and 12 million daily users, was aware its desktop app was being flagged as malware, but decided to take no action for a week when it learned it was on the receiving end of a massive supply chain attack , a thread on the company’s community forum shows.

“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.

Is anyone else seeing this issue with other A/V vendors?

Post Exploitation
Penetration framework or shellcode was detected
Evasion
Indirect command was executed
Code injection to other process memory space during the target process' initialization
\Device\HarddiskVolume4\Users\**USERNAME**\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe
SHA1 e272715737b51c01dc2bed0f0aee2bf6feef25f1

I'm also getting the same trigger when attempting to redownload the app from the web client ( 3CXDesktopApp-18.12.416.msi ).

Defaulting to trust

Other users quickly jumped in to report receiving the same warnings from their SentinelOne software. They all reported receiving the warning while running 18.0 Update 7 (Build 312) of the 3CXDesktopApp for Windows. Users soon decided the detection was a false positive triggered by a glitch in the SentinelOne product. They created an exception to allow the suspicious app to run without interference. On Friday, a day later, and again on the following Monday and Tuesday, more users reported receiving the SentinelOne warning.

Enlarge (credit: Getty Images)

Exploit code was released this week for a just-patched vulnerability in VMware Cloud Foundation and NSX Manager appliances that allows hackers with no authentication to execute malicious code with the highest system privileges.

VMware patched the vulnerability, tracked as CVE-2021-39144, on Tuesday and issued it a severity rating of 9.8 out of a possible 10. The vulnerability, which resides in the XStream open source library that Cloud Foundation and NSX Manager rely on, posed so much risk that VMware took the unusual step of patching versions that were no longer supported. The vulnerability affects Cloud Foundation versions 3.11 and lower. Versions 4.x aren’t at risk.

“VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library,” the company’s advisory, published Tuesday, read. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance.”

Enlarge / It's quiet... too quiet...

Over the weekend, players in the Destiny 2 community started to notice a game-breaking bug that could be activated just by sending in-game chat messages to other players. Bungie responded on Saturday by temporarily disabling all in-game chat while it investigates the issue.

"The team is aware of the exploit right now that is causing some players to be kicked and are actively working on identifying what’s causing the issue and addressing it," Destiny 2 Community Manager Liana Rupert wrote on Twitter just before chat was disabled across the game.

Scrub those inputs

The damaging exploit involved a string over 200 characters long, composed mostly of Chinese characters, according to multiple players who came across it over the weekend (and who shared the forbidden text with Ars Technica). The specific way those Chinese characters are encoded in Unicode means each one can take up more memory space than a single-byte ASCII character .