2 Citrix RCEs Exploited In The Wild, CISA Urges to Update

Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.

The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.

So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.

Citrix RCE Vulnerability Details

CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.

Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.

Citrix Responds to New Vulnerabilities

Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.

In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

The Breach details and impact on customers

The CitrixBleed vulnerability, which resides in widely used Citrix networking devices, has been under mass-exploitation by hackers since at least late August. Despite Citrix releasing patches in early October, many organizations, including Comcast, did not apply them in time. This oversight led to unauthorized access to Comcast’s internal systems between October 16th and 19th, though the company only detected the activity on October 25th. The damage is mainly concentrated within Xfinity, one of the biggest co’s divisions.

By November 16th, Xfinity, confirmed that customer data had likely been acquired by hackers. Also, this data includes usernames, hashed passwords, names, contact information, dates of birth, partial Social Security numbers, and answers to secret questions. Comcast’s data analysis is ongoing, and further disclosures of compromised data types may emerge.

The breach’s scale is monumental. Comcast’s filing with Maine’s attorney general revealed that almost 35.8 million customers are affected. Considering Comcast’s over 32 million broadband customers, the breach potentially impacts most, if not all, Xfinity customers.

What is CitrixBleed Vulnerability?

CitrixBleed is a critical-rated security flaw, targeting Citrix devices favored by large corporations. Hackers leveraging this vulnerability have targeted notable entities, including Boeing and the Industrial and Commercial Bank of China. As Citrix products are widely used, the sole fact of such vulnerability existence is critical.

The CitrixBleed vulnerability allows hackers to leverage improper input validation to bypass security controls. This results into gaining unauthorized access to internal systems. Nevertheless, the vulnerability allows attackers to inject malicious code or commands, potentially leading to malware injection.

As of now, it is unclear whether Xfinity received a ransom demand or how the incident affected the company’s operations. Also uncertain is whether the incident has been filed with the U.S. Securities and Exchange Commission under the new data breach reporting rules. Comcast’s response has been tight-lipped regarding these aspects.

Avoiding of data loss

Customers affected by the breach should take immediate steps to secure their personal information. Also, his includes monitoring credit reports, being vigilant for phishing attempts, and ensuring all online accounts are secured with strong, unique passwords and, where available, multi-factor authentication.

It’s crucial to read about cybersecurity threats and safe practices, as human error often leads to security breaches. Implementing strong access controls and network segmentation can limit the extent of a breach if one occurs. Additionally, regular backups and encrypted data storage are essential to recover from data loss incidents.

The post Comcast’s Xfinity Breach Exposes Data of 35.8 Million Users appeared first on Gridinsoft Blog.

Mr.Cooper’s Hacked, Huge Amounts of Data Exposed

Hackers have breached Mr. Cooper’s databases, impacting 14.6 million customers in one of the most significant recent data breaches. The breach was first noticed on October 31, when Mr. Cooper’s systems unexpectedly went offline, initially attributed to an outage. However, it was later revealed to be a result of a cyberattack. This incident caused concerns about the security measures and the company’s transparency in handling such issues. Customers experienced significant disruptions, unable to access their accounts or process mortgage payments.

In a detailed report to Maine’s attorney general’s office, Mr. Cooper disclosed the extent of the breach. Hackers managed to access a wealth of personal information, including customer names, addresses, dates of birth, phone numbers, SSNs, and bank account details. This breach is far more extensive than initially reported, with the number of victims surpassing the company’s current customer base, indicating that historical data of mortgage holders was also compromised.

Uncertainties And Consequences

Despite the scale of the attack, Mr. Cooper has been reticent about the specifics of the cyberattack. Thus, the attack’s nature, the perpetrators’ identity, and whether any ransom was demanded remain unclear. As a result, the company has faced criticism for its lack of transparency and delayed response to customer concerns. However, the financial implications of the attack are severe. Mr. Cooper estimates the cost of this cyberattack to be at least $25 million, a significant increase from initial estimates of $5 to 10 million. This cost includes expenses related to providing identity protection services to affected customers for two years.

In addition, this breach has far-reaching implications for the affected individuals. The exposure of sensitive personal information raises the risk of identity theft and financial fraud. Customers whose mortgages were previously handled by Nationstar Mortgage, now known as Mr. Cooper, are particularly vulnerable. The company has notified all affected individuals and advised them to take precautionary measures.

Cooper’s Response And Mitigation Efforts

In response to the breach, Mr. Cooper has taken several steps to mitigate the damage and prevent future incidents. These include enhancing their cybersecurity infrastructure and working closely with law enforcement and cybersecurity experts. Nonetheless, the company’s delayed response and initial miscommunication have been points of criticism. For the breach of such a scale, this is simply inappropriate.

The post Mr. Cooper’s Data Breach Affects Millions appeared first on Gridinsoft Blog.

Citrix and Adobe Patch 0-day Vulnerabilities

Simultaneously, products of two companies were hit with critical vulnerabilities that allowed crooks the remote execution of malicious code. Citrix and Adobe are well known in the software market, so there’s no need to introduce them. The vulnerability in Citrix NetScaler has a CVSS of 9.8 out of 10, allowing for code execution without authentication. On July 18, Citrix said it had patched the vulnerabilities. However, attackers have likely had time to exploit them.

Adobe is doing a little worse in this regard. Adobe ColdFusion, a popular server-side scripting language, faces critical vulnerabilities. These vulnerabilities are noted as CVE-2023-38203 with a severity level of 9.8 out of 10 and CVE-2023-29298. This allows an unauthenticated attacker to execute arbitrary code on a vulnerable server. The company soon released a patch that was supposed to fix the vulnerabilities. However, the patch provided by Adobe for CVE-2023-29298 on July 11 is incomplete, which means that remedies against CVE-2023-29298 do not currently exist.

Moreover, experts discovered that the vulnerability that Adobe patched a few days earlier was actually CVE-2023-38203 and not CVE-2023-29300. The security company made a mistake by unintentionally releasing a critical zero-day vulnerability to users already dealing with the threat posed by the incomplete patch. Project Discovery quickly took down the disclosure post, and Adobe fixed the vulnerability two days later. By the way, the CVE-2023-29300 vulnerability also has a severity rating of 9.8.

Consequences

While estimating the potential damage from these vulnerabilities is impossible, it can be compared to the MOVEit and GoAnywhere vulnerabilities. The former resulted in 357 individual organizations being compromised, while the latter affected over 100 organizations. However, both organizations have since released patches. Meaning users can only hope the problem will be fixed soon.

How to protect against vulnerabilities?

Protecting against vulnerabilities involves adopting proactive cybersecurity measures and practices. Here are some steps you can take to enhance your security:

• Keep Software Updated. You should regularly update your operating system, applications, and antivirus software. Developers release updates to patch security vulnerabilities, so staying up-to-date is crucial.
• Use Strong Passwords. Strong passwords will help prevent compromise through brute force. In addition, consider using a password manager to store and manage your passwords securely.
• Enable Multi-Factor Authentication. Adding MFA (multi-factor authentication) provides an additional layer of security by requiring extra verification (like a code sent to your phone). It will be a different and insurmountable barrier to intruders.
• Use protection solutions. Powerful antivirus software is integral to complementing the above recommendations. In the event of an attempt to infect the system, it will neutralize the threat before it can cause harm.
• Keep Abreast of Security News. Finally, stay informed about the latest cybersecurity threats and best practices to adapt your defenses accordingly.

Although there is no such thing as 100% protection, implementing these measures can significantly reduce your risk and make it harder for attackers to exploit vulnerabilities.

The post Citrix and Adobe Vulnerabilities Under Active Exploitation appeared first on Gridinsoft Blog.

To do this, a zero-day Citrix ADC vulnerability and a public exploit were used, and the Bureau was unaware of the breach until January 28, 2020.

Census Bureau officials said the compromised servers prevented access to data from the 2020 census. Instead, the servers were intended for remote workers and provided access to production, development, and test networks.

The vulnerability in question is the known critical bug CVE-2019-19781, discovered on December 17, 2019. It affects Citrix Application Delivery Controller (ADC) systems and company gateways. The bug allows an unauthorized attacker to send a specially crafted request that will subsequently grant him the ability to execute arbitrary commands on the server.

After gaining such an opportunity, an attacker can develop his attack, successfully move through the corporate network, and gain access to data stored on the attacked system (information about virtual machines, system users, and so on).

The vulnerability was patched in January 2020, and according to an OIG report, the Census Bureau’s servers turned out to be one of the first targets of hackers, they were hacked on the first day of active exploitation of the bug.

Let me remind you that I just talked about the Chinese hackers attack US organizations and exploit bugs in Citrix.

The post Attackers hacked the US Census Bureau using Citrix exploit appeared first on Gridinsoft Blog.

The researchers found that criminals are using a relatively new vector for amplifying DDoS attacks: the Datagram Transport Layer Security (DTLS) protocol, which provides connection security for protocols using datagrams.

DTLS, like other UDP-based protocols, is susceptible to spoofing, which means it can be used as a DDoS amplification vector. That is, a hacker can send small DTLS packets to a DTLS-enabled device, and the response will be returned to the victim’s address in the form of a much larger packet.

According to experts, earlier this vector of attack amplification was used only by advanced attackers, but now the use of DTLS has become more accessible and even a variety of services for DDoS attacks for hire offer it.

Experts have calculated that DTLS can amplify an attack by 37 times. The largest attacks seen by Netscout were at approximately 45 Gbps. Moreover, attackers combined DTLS with other amplification vectors, resulting in approximately 207 Gbps.

Netscout reports that there are currently over 4,300 servers on the network vulnerable to this problem. Most often, it is a misconfiguration and outdated software that disables anti-spoofing mechanisms.

In particular, it was previously noted that Citrix Netscaler Application Delivery Controller devices are often vulnerable, although Citrix developers have already urged customers to upgrade to a newer version of the software, where anti-spoofing is enabled by default.

Let me remind you that Google revealed the most powerful DDoS attack in history.

The post DTLS can amplify DDoS by 37 times appeared first on Gridinsoft Blog.

According to CISA experts, over the past year, Chinese hackers have regularly scanned US government networks in search of network devices, and then used against them exploits for resh vulnerabilities, trying to gain a foothold in vulnerable networks and continue lateral movement.

The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies”, — says CISA report.

According to the report, some of these attacks were successful, and the attackers achieved their goal.

The main targets of the Chinese hackers were F5 Big-IP load balancers, Citrix and Pulse Secure VPN devices, and Microsoft Exchange mail servers. Serious vulnerabilities have been identified in all of these products over the past year, including: CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688.

Having infiltrated the network, Chinese hackers seek to advance further and steal data. For this is used a variety of tools (including open source and legitimate), the most common of which are the Cobalt Strike platform, as well as the China Chopper Web Shell and Mimikatz tools.

ZDNet journalists note that not only Chinese cybercriminals are interested in the listed above vulnerabilities.

“In addition, Chinese hackers aren’t the only ones targeting these particular networking appliances. The devices listed above have also been targeted by Iranian state actors, according to a report from the private cyber-security sector and a cyber-security alert published by the FBI last month”, — report ZDNet journalists.

Let me remind you that recently specialists of the Crowdstrike and Dragos companies noticed that the Iranian “government” hackers are putting on sale access to the networks of compromised companies, and provide access to other criminal groups.

I will also remind you that the US authorities warned of a possible intensification of attacks by Iranian hacker groups on the public sector. Perhaps their warning was reasonable.

The post Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange appeared first on Gridinsoft Blog.

The severity of the encountered issues, which received CVE IDs CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs depending on the version of XenMobile used.

Thus, vulnerabilities will be critical for XenMobile versions from 10.12 to RP2, from 10.11 to RP4, from 10.10 to RP6 and all versions up to 10.9 RP5. In turn, for XenMobile versions 10.12 to RP3, 10.11 to RP6, 10.10 to RP6 and up to 10.9 RP5, the threat will be low to medium.

The company’s specialists write that all versions of 10.9.x should be immediately updated (preferably to the latest 10.12 RP3), since some problems can be used remotely and without authentication. Currently, more than 70% of potentially vulnerable customers who were previously notified of problems have already installed the available fixes.

“We recommend updating immediately. Although there are currently no known exploits [for these problems], we expect attackers to use them very soon”, — warns the company.

Let me remind you that Citrix users are quite inert, and after patches from a past dangerous bug, 20% of companies remained vulnerable. You should not expect that some noble hackers will patch your systems for you, although this has already happened.

Although Citrix experts do not disclose the details of the discovered problem, Positive Technologies specialist Andrey Medov discovered the CVE-2020-8209 vulnerability. He said that it belongs to the Path Traversal class and is related to insufficient validation of the input data.

“The exploitation of this vulnerability provides information that can be useful when crossing the perimeter, since the configuration file often stores a domain account for connecting to LDAP”, — says the expert.

A remote attacker can use the received data to authenticate to other external company resources: corporate mail, VPN, web applications. In addition, by reading the configuration file, an attacker can gain access to important data, for example, the password from the database (by default – from the local PostgreSQL, in some cases – from the remote SQL Server).

However, given that the database is located inside the corporate perimeter and cannot be connected to it from the outside, this vector can only be used in complex attacks, for example, with the help of an accomplice within the company.

The post Citrix expects attacks on fresh issues in XenMobile appeared first on Gridinsoft Blog.

This can be concluded from the threat intelligence monitoring, conducted by Positive Technologies employees.

The critical vulnerability CVE-2019-19781 in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) in December was discovered by Positive Technologies experts.

“At the end of 2019, the United States leaded in the list of potentially vulnerable organizations (more than 38% of all vulnerable organizations), followed by Germany, the United Kingdom, the Netherlands and Australia”, – the experts say.

As was previously reported, there was even a mysterious hacker – some sort of a Robin Hood, which patched a server with this vulnerability. On January 8, 2020, was published an exploit that allows a hypothetical attacker to automate attacks on companies that have not fixed this vulnerability.

“Citrix developers planned to completely eliminate the problem between January 27 and January 31, but released a series of patches for different versions of the product a week earlier. It is important to install the necessary update as soon as possible, and until then, adhere to the Citrix security recommendations that have been available since the publication of the vulnerability information”, – warns PT Expert Security Center.

Overall, the dynamics of eliminating vulnerabilities is positive, but 20% of companies still remain in the risk zone. The top of countries in terms of the number of potentially vulnerable organizations today include Brazil (43% of the companies in which the vulnerability was initially identified), China (39%), Russia (35%), France (34%), Italy (33%) and Spain (25%). The best dynamics demonstrated the USA, Great Britain and Australia: in these countries locate only 21% of companies that continue to use vulnerable devices and do not take any protective measures.

Recall that in the case of exploiting a vulnerability, an attacker gains direct access to the company’s local network from the Internet. To carry out such an attack, access to any accounts is not required, which means that it can execute any external intruder.

Companies can use application-level firewalls to block a possible attack. Such screens detect an attack “out of the box”: the system should be switched to the blocking mode of dangerous requests for protection in real time.

Also, I will remind you about the importance of using reliable antivirus software.

Considering the total lifespan of the identified vulnerability (it has been relevant since the release of the first vulnerable version of the software in 2014), identification of possible facts of exploiting this vulnerability (and, accordingly, infrastructure compromise) is becoming relevant in retrospect.

The post Dangerous vulnerability in Citrix software is still not resolved in 20% of companies appeared first on Gridinsoft Blog.

At the beginning of this year was discovered CVE-2019-19781 vulnerability, which affects a number of versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two old versions of Citrix SD-WAN WANOP. As was reported at the beginning of the month, there were exploits for it in the public domain.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just as it was expected, as numerous hackers hope to compromise some important goal that did not have time to upgrade – a corporate network, a state server, or a government agency.

“The main problem was that though more than a month has passed since the vulnerability was discovered, Citrix developers were in no hurry to release the patch”, – IS experts condemn the company.

Firstly, company limited itself to only safety recommendations, explaining to customers how to reduce risks.

There was even an interesting precedent – an unknown hacker used vulnerable methods to patch vulnerable Citrix servers and, according to information security analysts, not because he was Robin Hood, his intentions were dubious.

Citrix developers presented an actual patch only last week, and did not release the final patches untill the last Friday.

Citrix and FireEye experts also provided free solutions to identify compromises and vulnerable systems.

Now FireEye and Under the Breach analysts are warning that cryptographic operators REvil (Sodinokibi) and Ragnarok are actively infecting vulnerable Citrix servers, which are still numerous.

“I examined the files REvil posted from Gedia.com after they refused to pay the ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit. My bet is that all recent targets were accessed via this exploit. It just goes to show how much impact a single exploit could have. Other files included invoices, data structures and a complete dump of the servers passwords. GDPR will go hard on these guys and this is exactly what REvil wants, the incentive to ransomware is truly alive!”, — writes Under the Breach company representative.

Additionally, according to unconfirmed reports, the creators of the Maze ransomware targeted vulnerable systems.

It is necessary to say that overall the process of installing patches is going well. If in December 2019 the number of vulnerable systems was estimated at 80,000 servers, then in mid-January their number dropped to about 25,000, and last week it fell below 11,000 systems altogether. Specialists from the GDI Foundation closely monitor these statistics.

The post Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines appeared first on Gridinsoft Blog.