The Week in Security: WinRAR exploit targets traders, malicious npm packages go after game devs

This week: Hackers are exploiting a zero-day to target crypto and stock traders. Also: ReversingLabs researchers discover over a dozen malicious npm packages targeting Roblox game developers.

This Week’s Top Story

WinRAR zero-day vulnerability exploited to target crypto and stock traders

Since April 2023, A WinRAR zero-day vulnerability has been abused by hackers to execute multiple malware families onto cryptocurrency traders. Researchers at Group-IB discovered the campaign, and have found that hackers have used malware families like DarkMe, GuLoader and Remcos RAT on their targets for financial gain. At this point, it is still unknown which hackers are behind the campaign.

The vulnerability, tracked as CVE-2023-38831, is allowing hackers to create malicious .RAR and .ZIP archives that display harmless-looking files to users, such as those ending in .JPEG or .PDF. If a user clicks on one of these files, the vulnerability allows for a script to automatically run that then installs the malware onto the victim’s system. Hackers have also made the process less suspicious to their targets by having the script also load the seemingly-harmless file that the user was hoping to open, in an effort to hide the malware install.

In targeting cryptocurrency and stock trading firms, the attackers pretended to be trading enthusiasts in at least eight online trading forums, sharing strategies that allowed them to gain approval and acceptance into the forum by other, legitimate and non-malicious users. And in their forum posts, hackers included links that directed users to the WinRAR ZIP and RAR archives, which users would then access and download the unseemingly-malicious files.

WinRAR has patched for the vulnerability in their newest version of the product, 6.23, which users are encouraged to download in order to defend themselves against this malicious campaign and others like it.

News Roundup

Here are the stories we’re paying attention to this week…

Over a dozen malicious npm packages target Roblox game developers (The Hacker News)

Researchers at ReversingLabs have discovered more than a dozen malicious packages on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers.

New supply chain attack hit close to 100 victims - and clues point to China (WIRED)

Researchers revealed that they'd detected a supply chain attack carried out by a hacker group that they've newly named CarderBee. The hackers hijacked the software updates of a piece of Chinese-origin security software known as Cobra DocGuard, injecting their own malware to target about 100 computers across Asia, mostly in Hong Kong.

BlackCat ransomware gang claims credit for Seiko data breach (Graham Cluley)

The BlackCat ransomware gang has claimed credit for a cybersecurity attack against Japanese watchmaker Seiko. BlackCat (also known as ALPHAV) posted on its dark web leak site what it claims are files stolen from Seiko’s servers.

Hosting firm says it lost all customer data after ransomware attack (Bleeping Computer)

Danish hosting firms CloudNordic and AzeroCloud have suffered ransomware attacks, causing the loss of the majority of customer data and forcing the hosting providers to shut down all systems, including websites, email, and customer sites.

CISA pushes for ‘Secure by Design’ AI Software (MeriTalk)

As part of its broad efforts to foster a secure-by-design and -default technology ecosystem, the Cybersecurity and Infrastructure Security Agency (CISA) called on AI software makers last week to build security into systems from the outset.