9.8
CVSSv3

CVE-2019-19781

Published: 27/12/2019 Updated: 20/01/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

An issue exists in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

citrix application_delivery_controller_firmware 10.5

citrix application_delivery_controller_firmware 11.1

citrix application_delivery_controller_firmware 12.0

citrix application_delivery_controller_firmware 12.1

citrix application_delivery_controller_firmware 13.0

citrix netscaler_gateway_firmware 10.5

citrix netscaler_gateway_firmware 11.1

citrix netscaler_gateway_firmware 12.0

citrix netscaler_gateway_firmware 12.1

citrix gateway_firmware 13.0

Mailing Lists

Citrix Application Delivery Controller and Citrix Gateway remote code execution proof of concept exploit ...
This Metasploit module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 105, 111, 120, 121, and 130, to execute an arbitrary command payload ...
Citrix Application Delivery Controller and Citrix Gateway directory traversal remote code execution exploit ...
This Metasploit module exploits a remote code execution vulnerability in Citrix Application Delivery Controller and Gateway version 105 ...
This is an nmap nse script to test for the path traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway ...

Metasploit Modules

Citrix ADC (NetScaler) Directory Traversal RCE

This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.

msf > use exploit/linux/http/citrix_dir_traversal_rce
msf exploit(citrix_dir_traversal_rce) > show targets
    ...targets...
msf exploit(citrix_dir_traversal_rce) > set TARGET < target-id >
msf exploit(citrix_dir_traversal_rce) > show options
    ...show and set options...
msf exploit(citrix_dir_traversal_rce) > exploit
Citrix ADC (NetScaler) Directory Traversal Scanner

This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a "[global]" directive in smb.conf, which this file should always contain.

msf > use auxiliary/scanner/http/citrix_dir_traversal
msf auxiliary(citrix_dir_traversal) > show actions
    ...actions...
msf auxiliary(citrix_dir_traversal) > set ACTION < action-name >
msf auxiliary(citrix_dir_traversal) > show options
    ...show and set options...
msf auxiliary(citrix_dir_traversal) > run

Github Repositories

Exploit Citrix - Remote Code Execution Bug: CVE-2019-19781 This tool is ported to Golang from githubcom/trustedsec/cve-2019-19781/blob/master/citrixmashpy Writeup and mitigation: wwwtrustedseccom/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ Forensics and IoC Blog: wwwtrustedseccom/blog/netscaler-remote-code

Audit Guide for the Citrix ADC Vulnerability CVE-2019-19871. Collected from multiple sources and threat assessments. Will be updated as new methods come up.

Update 1-22-2020 There is now a tool from FireEye that will help scan these items below The key to this is that you need to have enough logs to go back to 1-9-2020 to have a chance to see what was done beyond the exploit was ran If it finds XML payload files then you need to use the information below to make a decision on what action to take wwwfireeyecom/blog/pr

CVE-2019-19781 CVE-2019-19781 Module for Router Scan Project How To Use prepare pip3 install ipcalc,requests usage python3 scannerpy Copyright some part of this repository that send tcp response is partly forked from trustedsec/cve-2019-19781 with some changes for APIs of Router Scan Project

This is a tool published for the Citrix ADC (NetScaler) vulnerability. We are only disclosing this due to others publishing the exploit code first.

CVE-2019-19781 This was only uploaded due to other researchers publishing their code first We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems We are all for responsible disclosure, in this case - the cat was already out of the bag Exploits: CVE-2019-19781 Citrixmash (CVE-2019-19781 exploit) root@stronghol

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit

CVE-2019-19781 Remote Code Execution (RCE) in Citrix Application Delivery Controller and Citrix Gateway A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution EDIT:

Here a list of useful information about threats and scams related to Coronavirus Disease 2019 (COVID-19)

COVID-19 Response Covid19 Response will share tools and resources for security incident response and cyber defence, aimed to help systems adminstrators or anyone to protect against threats using desease outbreak as a vector cve-2019-19781 - Check citrix gateway that are vulnerable to CVE-2019-19781 threatlist - Hashes, files, phishing, etc Useful Links Windows Defender AT

CVE-2019-19781 To use this scanner goto cve-2019-19781azurewebsitesnet Features Scan for IPs/Hostnames that are exposted to CVE 2019 19781 Scan offline database for leaked wildcard certificates Credits This project is based on this project: Citrixmash v01 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 Tool Written by: Rob Simon and Dave Kennedy Contr

IOCs for CVE-2019-19781

CVE-2019-19781_IOCs IOCs for CVE-2019-19781 citrixhoneypotnslookuptxt contains whois results for the IP addresses listed in ipstxt these were the addresses that showed up most frequently in the logs of the honeypot discussed here: wwwdigitalshadowscom/blog-and-research/cve-2019-19781-analyzing-the-exploit/

Test a host for susceptibility to CVE-2019-19781

check-cve-2019-19781 This utility determines if a host appears susceptible to CVE-2019-19781 Requirements Python versions 36 and above Note that Python 2 is not supported Installation From a release: pip install githubcom/cisagov/check-cve-2019-19781/releases/download/v102/cve_2019_19781-102-py3-none-anywhl From source: git clone githubcom/cisa

Simple tool for testing vulnerability to CVE 2019-19781

CVE-2019-19781 The intent of this project is to wrap up the tool published by CISA to test for vulnerably for CVE-2019-19781 See wwwus-certgov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability for the CERT announcement about the tool See the following for more information on the vulnerability: supportcitrixcom/article

Ctirix_RCE-CVE-2019-19781 Citrix ADC RCE cve-2019-19781

CVE-2019-19781 An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 105, 111, 120, 121, and 130 They allow Directory Traversal authentication complexity vector NONE LOW NETWORK confidentiality integrity availability PARTIAL PARTIAL PARTIAL CVSS Score: 75 References supportcitrixcom/article/CTX267027 https:

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents Arduino C C# C++ CSS Clojure CoffeeScript Dockerfile Eagle Emacs Lisp Go HTML Java JavaScript Jupyter Notebook Lua Makefile Others PHP PowerShell Python QML Rust Shell Swift TeX TypeScript Arduino ESP8266Tweet - Twitter client for ESP8266 C hashcat - World's fastest and most advanced pa

Citrix ADC Remote Code Execution

CVE-2019-19781 Citrix ADC Remote Code Execution python usage: python CVE-2019-19781py 1921683244 0x01 download NSVPX-ESX-130-4722_nc_64zip wwwcitrixcom/downloads/citrix-gateway/ configure static networ 0x02 nmap scan Scanning 1921683244 [65535 ports] Discovered open port 80/tcp on 1921683244 Discovered open port 22/tcp on 1921683244 Discove

My Citrix ADC NetScaler CVE-2019-19781 Vulnerability DFIR notes.

Based on a Splunk perspective Below resources show that ingesting your logs is essential from proper analysis of the Indicators Of Compromise Never waste a good crisisingest all the logs Impact / Root Cause: Remote pre-auth arbitrary command execution due to logic vuln ie reliable execution possible Some Resources supportcitrixcom/article/CTX267027 www

Citrix Unauthorized Remote Code Execution Attacker - CVE-2019-19781

Citrix Unauthorized Remote Code Execution Attacker - CVE-2019-19781 References: blogfox-itcom/2020/07/01/a-second-look-at-cve-2019-19781-citrix-netscaler-adc/ Bypassing: 1 - Deleted / Modified scripts at: /vpn//vpns/portal/scripts/* 2 - Forward Slash ("/") issues after perl commnad injection (template injection) attack

Citrix ADC Remote Code Execution

CVE-2019-19781 Citrix ADC Remote Code Execution python usage: python CVE-2019-19781py 1921683244 0x01 download NSVPX-ESX-130-4722_nc_64zip wwwcitrixcom/downloads/citrix-gateway/ configure static networ 0x02 nmap scan Scanning 1921683244 [65535 ports] Discovered open port 80/tcp on 1921683244 Discovered open port 22/tcp on 1921683244 Discove

Remote Code Execution Exploit (CVE-2019-19781)- Citrix Application Delivery Controller &amp; Gateway Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway [ CVE-2019-19781 ] Usage : bash CVE-2019-19781sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE eg : bash CVE-2019-19781sh XXXXXXXX 'cat /etc/passwd' Live Demo of Exploiting

Repository for penetration testing tools

Pentest-Detections Repository for penetration testing tools WannaCry_NotPetya_FastDetect : Vulnerability scanner for MS17-010 IPv4, IPv6 compatible Very fast and flexible Citrix_CVE-2019-19781 : Vulnerability scanner for Citrix CVE-2019-19781 Very fast and flexible

CVE-2019-19781 Attack Triage Script

CVE-2019-19781 CVE-2019-19781 Attack Triage Script The script can be run on your affected Citrix ADC devices to assist in determining if a compromise has occured It will quicky capture any associated commands or files that were used as part of the attack (unless cleanup has occured): $ /CVE-2019-19781-Triagesh Disclaimer: Best efforts were made to test the script provided, h

Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway [ CVE-2019-19781 ]

CVE-2019-19781 Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway [ CVE-2019-19781 ] Usage : bash CVE-2019-19781sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE eg : bash CVE-2019-19781sh XXXXXXXX 'cat /etc/passwd' Reference : supportcitrixcom/article/CTX267027 nvdnistgov/vuln/detail/CVE-2019-19781 https:/

Indicator of Compromise Scanner for CVE-2019-19781

Indicator of Compromise Scanner for CVE-2019-19781 This repository contains a utility for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781 The utility, and its resources, encode indicators of compromise collected during FireEye Mandiant investigations To learn more, please read the blog announcing this tool's release In summary the utility will:

Gather a list of Citrix appliances in a country / state pair, and check if they're vulnerable to CVE-2019-19781

shitsniffer Gather a list of Citrix appliances in a country / state pair, and check if they're vulnerable to CVE-2019-19781 Results are output as JSON which can be wrangled quite nicely into a meaningful PowerBI report It does this by querying Shodan for all results in a particular country matching a search string By default, it searches country:AU has_ssl:true with the

This Is just My Personal Note For Fast-IR

DFIR-Note This Is just My Personal Note For Fast-IR What are the Most Tragted Servers By the Adversy and Why : 1-SCCM is a platform that allows for an enterprise to package and deploy operating systems, software, and software updatesIf you can gain access to SCCM, it makes for a great attack platform It heavily integrates Windows PowerShell, has excellent network visibility,

Search data for trickiness and obfuscation.

trickt Finds and converts obfuscated strings into a human readable form Install $ pip3 install trickt Run Searching individual strings I refer to obfuscation as trickiness because I'm a child at heart trickt outputs strings as byte strings so you can see if there are goofy characters visually You can pass a file path to read and decode or decode a string directly Base6

This is a repository with links Python for Web Application

The Python Web Apps Guide A Python repository to facilitate studies [WARNING] The links cited here were extracted from various sites and are for study use, I am sharing them so that as well as I can learn, I hope I have not infringed any copyright; and if your website, repository or any other link is here and the owner would not like it to be, please contact us so you can wit

Detectar vulnerabilidades de Path traversal con nmap

nmap simples script para nmap para detectar Path Traversal Uso: Por ejemplo: nmap -Pn -p443 -sVC --script=CVE-2019-19781nse

Jupyter notebook to help automate some of the forensic analysis related to Citrix Netscalers compromised via CVE-2019-19781

Citrix Analysis Notebook A jupyter notebook to aid in automating some of the forensic analysis related to Citrix Netscaler hosts compromised via CVE-2019-19781 For help retrieving artifacts to examine see this Citrix triage script All notes/suggestions are welcome Feel free to submit pull requests or issues Disclaimer: Not intended to be a be-all end-all solution, just ther

Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway [ CVE-2019-19781 ]

CVE-2019-19781 Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway [ CVE-2019-19781 ] Usage : bash CVE-2019-19781sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE eg : bash CVE-2019-19781sh XXXXXXXX 'cat /etc/passwd'

批量概念驗證用

CVE-2019-19781 批量概念驗證用 使用限制 1使用前資料夾內需包含"datatxt"檔案,內容為19216810/24\n 19216820/24\n 2僅在linux下執行, python3 CVE-2019-19781-test_batapy 3若可成功執行並發現漏洞,匯出於"CVE-2019-19781txt"

Shitrix : CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit

CVE-2019-19781 Simple POC to test if your Citrix ADC Netscaler is vulnerable to CVE-2019-19781 Usage : python &lt;TARGET&gt; &lt;TARGETPORT&gt; &lt;CMD&gt; This is proxified by default on tor default port --&gt; 127001:9050 You'll need PySocks, requests and urllib3 Security advisory supportcitrixcom/article/CTX267027

CVE-2019-19781 Automated script for Citrix ADC scanner (CVE-2019-19781) using hosts retrieved from Shodan API You must have a Shodan account to use this script Click here if you don't have Shodan account Installation Install dependencies # CentOS &amp; Fedora yum install git python3 -y # Ubuntu &amp; Debian apt install git python3 python3-pip

Detect-CVE-2019-19781 Set the $IP variable to your own server to detect if its vulnerable

My working exploit script for Shitrix (CVE-2019-19781)

Shitrix-CVE-2019-19781 My working approach to exploiting Shitrix Updated 21st July, 2020 - now supports multi-worded commands and forward slashes You need curl &gt;= 7420 Call it with, eg: /shitrixsh target port ls -al

A fast multi threaded scanner for Citrix ADC (NetScaler) CVE-2019-19781 - Citrixmash / Shitrix

CVE-2019-19781 citrixmash scanner A multithreaded scanner for Citrix appliances that are vulnerable to CVE-2019-19781 The scanner does not attempt to compromise/exploit hosts and avoids downloading any sensitive content A HEAD request is used to determine if a target is vulnerable False positives are reduced by verifying a specific value in the content-length header response

All Working Exploits

Remote Code Execution Exploit (CVE-2019-19781)- Citrix Application Delivery Controller &amp; Gateway Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway [ CVE-2019-19781 ] Usage : bash CVE-2019-19781sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE eg : bash CVE-2019-19781sh XXXXXXXX 'cat /etc/passwd' Live Demo of Exploiting

Citrix ADC scanner (CVE-2019-19781) using hosts retrieved from Shodan API.

CVE-2019-19781 Automated script for Citrix ADC scanner (CVE-2019-19781) using hosts retrieved from Shodan API You must have a Shodan account to use this script Click here if you don't have Shodan account Installation Install dependencies # CentOS &amp; Fedora yum install git python3 -y # Ubuntu &amp; Debian apt install git python3 python3-pip

CVE-2019-19781漏洞批量测试脚本

CVE-2019-19781漏洞批量测试脚本

a script to look for CVE-2019-19781 Vulnerability within a domain and it's subdomains

citrixvulncheck A script to look for CVE-2019-19781 Vulnerability within a domain and it's subdomains

CVE-2019-19781-exploit CVE-2019-19781 kfire/1170html

uSIEM Sigma Rule Engine uSIEM Sigma Rule Engine Native Rule engine based on githubcom/SigmaHQ/sigma How it works All SIGMA rules that don't depend on a time interval are checked against each log if the log category/service matches the rules The following SIGMA rule is checked against every log marked as webserver (uSIEM Log Event of type WebServer) If the rule h

URL collection from browsing twitter

URL collection from browsing twitter Coronavirus COVID-19 (2019-nCoV) ephemera-miscellany/[ShmooCon 2018] Listing the 1337 - Adventures in Curating HackerTwitter's Institutional Knowledge (@hexwaxwing + @DanielGallagher)pdf at master · 1337list/ephemera-miscellany · GitHub GitHub - felixgr/secure-ios-app-dev: Collection of the most common vulnerabilities f

Automated forensic script hunting for cve-2019-19781

CVE-2019-19781-Forensic Note : My advice is now to use the official tool published by fireeye &amp; citrix : githubcom/fireeye/ioc-scanner-CVE-2019-19781 This little script was created to help security analyst to discover traces of successful CVE-2019-19781 exploits on their systems Feel free to fork and improve ! You can find an example of output on a compromised

citrix adc rce

Citrix_CVE-2019-19781 Citrix ADC Remote Code Execution

CVE-2019-19781 支持批量检测 Usage: python CVE-2019-19781py 检测目标URL,需在脚本当前目录下创建:urltxt urltxt,一行一个: xxx:port/ xxx:port/ 输出: 存在漏洞链接:restxt 错误链接:logtxt

Automated script for Citrix ADC scanner (CVE-2019-19781) using hosts retrieved from Shodan API. You must have a Shodan account to use this script.

CVE-2019-19781 Automated script for Citrix ADC scanner (CVE-2019-19781) using hosts retrieved from Shodan API You must have a Shodan account to use this script Click here if you don't have Shodan account Installation Install dependencies # CentOS &amp; Fedora yum install git python3 -y # Ubuntu &amp; Debian apt install git python3 python3-pip

citrix-vuln-checker run the script in your terminal to check if your CITRIX SERVER is vulnerable to the CVE-2019-19781

Check your website for CVE-2019-19781 Vulnerable

CVE-2019-19781-Checker Check your website for CVE-2019-19781 Vulnerable #VISIT citrix-checkercom TO CHECK IF YOU ARE VULNERABLE FOR CVE-2019-19781 PLEASE USE OUR CHECKER TWO TIMES TO BE SURE This website gives you the results if your service is vulnerable for CVE-2019-19781 There is a responder policy to mitigate the issue until there is a permanent fix To apply the

A Citrix Netscaler honeypot

Honeypot for CVE-2019-19781 (Citrix ADC) Detect and log CVE-2019-19781 scan and exploitation attempts Based on MalwareTech's Citrix honeypot but heavily rewritten Prerequisites openssl (used only once, to create a self-signed HTTPS certificate) a working MySQL server (only if you use the MySQL output plugin) Usage Check the installation document for more informatio

Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts

Citrix ADC (NetScaler) Honeypot Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash) Logs failed login attempts Serves content and headers taken from real appliance in order to increase chance of indexing on search engines (eg google, shodan etc) Installation Precompiled Precompiled Linux (x64) package available here mkdir citrix-honeypot cd citrix-honeypot

CVE-2019-19781 bash exploit

citrixsh CVE-2019-19781 bash exploit using : bash citrixsh $domaincom Cyber-WarriorOrg / AKINCILAR / mit

Citrix-CVE-2019-19781

Detect and log CVE-2019-19781 scan and exploitation attempts.

Honepot for CVE-2019-19781 (Citrix ADC) Detect and log CVE-2019-19781 scan and exploitation attempts Requirements: python3 openssl Usage: Clone repo: git clone githubcom/MalwareTech/CitrixHoneypotgit CitrixHoneypot &amp;&amp; cd CitrixHoneypot Make ssl and logs directory: mkdir logs ssl Generate self signed SSL certificate: openssl req -newkey rsa:2048 -no

A small collection of network traffic packet captures

pcap A small collection of network traffic packet captures CVE-2019-19781 Added on 2020-01-14 to host PCAP referenced in the "Rough Patch: I Promise It'll Be 200 OK" blog: First PCAP file - GET request for exploit scanning - checking conf file for a 200 OK response Second PCAP file - POST request exploiting the vulnerability using TrustedSec's publicly-ava

centos Notes about all the stuff I have to lookup centos yum install nfs-utils mkdir /var/backups mount -t nfs 1010010:/backups /var/backups /etc/fstab 1010010:/backups /var/backups nfs defaults 0 0 firewall-cmd --permanent --zone=public --add-service=nfs iptables -S yum -y install epel-release hto

修改的poc,适用于python3

CVE-2019-19781-poc 修改的poc,适用于python3 python3 CVE-2019-19781py examplecom

Citrix Netscaler RCE

CVE-2019-19781 Citrix Netscaler RCE

CVE-2019-19781 Citrix RCE

CVE-2019-19781 Citrix ADC Remote Command Execution Reference: wwwexploit-dbcom/exploits/47901

Indicator of Compromise Scanner for CVE-2019-19781 This repository contains a utility for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781 The utility, and its resources, encode indicators of compromise collected during FireEye Mandiant investigations To learn more, please read the blog announcing this tool's release In summary the utility will:

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents Assembly Batchfile Blade C C# C++ CSS CUE Clojure Dart Dockerfile Elixir Erlang F# Go HCL HTML Haskell Java JavaScript Jinja Jupyter Notebook Makefile Markdown Mustache Nunjucks Objective-C Others PHP PLpgSQL Perl Python QML Ruby Rust SCSS Shell Smarty Starlark Swift TeX TypeScript Vue WebAssemb

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.

check-your-pulse This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510 The Cybersecurity and Infrastructure Security Agency (CISA) has seen many organ izations breached despite patching their appliance because of Active Directory credentials (to include Domain Admin) harvested prior to

Shodan_SHIFT Shodan SHIFT demonstrates one of many useful use cases for using Shodan to threat hunt Specifically, SHIFT assists a user with identification of vulnerable source and destination IP addresses contained in a packet capture file Installation Python3 and tshark are required for shift to work properly Additionaly, the provided requirementstxt file should be run to

The CyCognito integration empowers the user with the view of their organization's internet-exposed attack surface by fetching issues discovered by the CyCognito platform These issues provide identification, prioritization, and remediation for the risks the organization faces The integration contains commands to query assets and issues detected by the CyCognito platform a

Critical CVE's in last 5 years. CVE Exploits.

Common-Vulnerability-Exposure-CVE- Critical CVE's in last 5 years CVE Exploits 1 CVE-2014-0160 - Heartbleed The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet SSL/TLS provides communica

Detections by Author Author Count DNIF 138 community 127 Total 265 Detections by Directory Directory Count /Advanced Threat Detection/Windows Process Monitoring 119 /Advanced Threat Detection/Proxy Monitoring 29 /Advanced Threat Detection/Webserver Exploits 9 /Cloud Security/Amazon Web Services 13 /Advanced Threat Detection/DNS Monitoring 4 /Cloud

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

Lotus Scripts Welcome to the official Lotus Lua Scripts repository! Here, we provide a collection of Lua scripts to scan different vulnerabilities Scripting Progress This table shows the progress of our tool and script development in Lua We've already rewritten some of our tools, such as the SQLiDetector and Simple SSTI Detector, and we're currently working on sev

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

cisa_AA22-011A Test Cases - Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include: CVE-2018-13379 FortiGate VPNs CVE-2019-1653 Cisco router CVE-2019-2725 Oracle WebLogic Server CVE-2019-7609 Kibana CVE-2019-9670 Zimbra software CVE

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Dataset info &amp; mapping In this repository we provide a full list of all events that were included in the Dataset, and provide the event mappings to expert rules for both the AlienVault and Sigma rules Overview This repository contains the following: eventstxt, a txt file listing all events This full list is also shown in the Section Events below mappings, a direct

AD-Pentesting-Tools Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vul

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents AppleScript Batchfile BitBake C C# C++ CSS Dart Dockerfile Erlang Go HCL HTML Hack Java JavaScript Jupyter Notebook Kotlin Lua Makefile Objective-C Others PHP Pascal Perl PowerShell Python Raku Ruby Rust Scala Shell TypeScript Vala Visual Basic Visual Basic NET Vue AppleScript svg/svgo-osx-fo

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentesters-toolbox General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scan

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools Windows Active Directory Pentest General usefull Powershell Scripts githubcom/S3cur3Th1sSh1t/WinPwn - githubcom/dafthack/MailSniper githubcom/putterpanda/mimikittenz githubcom/dafthack/DomainPasswordSpray githubcom/mdavis332/DomainPasswordSpray - same but kerberos auth for more stealth and lockout-sleep github

fscan-Intranet 简介 这是fscan的内网修改版。 修改版 正式版下载首先附上作者原作,为作者的开源精神和一个nice的作品点赞 fscan的web扫描功能调用了xray的poc,这个确实非常好用,但是也造成了流量过大、速度过慢等问题。对于fscan还是更多应用在内网渗透中,而在内网渗透中对于薅洞的需

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Useful Pentest tool links

Pentest-Tools Red-Team-Essentialss General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vu

Windows Active Directory penetration testing Technical notes and list of tools, scripts and Windows commands that I find useful during internal penetration tests (Windows environment/Active Directory) The output files included here are the results of tools, scripts and Windows commands that I ran against a vulnerable Windows AD lab that I created to test attacks/exploits and d

Welcome to Goby Goby is a new generation network security assessment tool It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise Goby can also quickly penetrate the company intranet based on a company's vulnerabilities exposed to the Internet We strive for Goby to become a more vita

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Awesome hacking is an awesome collection of hacking tools.

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents AutoIt Batchfile BitBake BlitzBasic C C# C++ CSS Dart Dockerfile Erlang Go HTML Hack Java JavaScript Jupyter Notebook Kotlin Lua Makefile Objective-C Others PHP Pascal Perl PowerShell Python Raku Ruby Rust Scala Shell Smarty TypeScript Vala Vim script Visual Basic Visual Basic NET Vue YARA Aut

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Master-Cheat-Sheet General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scan

Recent Articles

Threat Landscape Trends – Q1 2020
Symantec Threat Intelligence Blog • Critical Attack Discovery and Intelligence Team • 09 Jun 2023

A look at the cyber security trends from the first three months of 2020.

Posted: 9 Jun, 20203 Min ReadThreat Intelligence SubscribeThreat Landscape Trends – Q1 2020A look at the cyber security trends from the first three months of 2020.Towards the end of the first quarter of 2020, we took a look through telemetry from our vast range of data sources and selected some of the trends that stood out.

From COVID-19-themed malicious email and BEC scams to vulnerability exploits and IoT attacks, let’s take a q...

Patch now? Why enterprise exploits are still partying like it's 1999
The Register • Davey Winder • 08 Sep 2021

Get our weekly newsletter Am I only dreaming, or is this burning an Eternal Blue?

Some vulnerabilities remain unreported for the longest time. The 12-year-old Dell SupportAssist remote code execution (RCE) flaw – which was finally unearthed earlier this year – would be one example.
Others, however, have not only been long since reported and had patches released, but continue to pose a threat to enterprises. A joint advisory from the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), published in late July, liste...

Postmortem on U.S. Census Hack Exposes Cybersecurity Failures
Threatpost • Elizabeth Montalbano • 19 Aug 2021

Threat actors exploited an unpatched Citrix flaw to breach the network of the U.S. Census Bureau in January in an attack that was ultimately halted before a backdoor could be installed or sensitive data could be stolen, according to a report by a government watchdog organization.
However, investigators found that officials were informed of the flaw in its servers and had at least two opportunities to fix it before the attack, mainly due to lack of coordination between teams responsible for...

US Census Bureau hacked in January 2020 using Citrix exploit
BleepingComputer • Sergiu Gatlan • 18 Aug 2021

US Census Bureau servers were breached on January 11, 2020, by hackers after exploiting an unpatched Citrix ADC zero-day vulnerability, as the US Office of Inspector General (OIG) disclosed in a recent report.
"The purpose of these servers was to provide the Bureau with remote-access capabilities for its enterprise staff to access the production, development, and lab networks. According to system personnel, these servers did not provide access to 2020 decennial census networks," the OIG

Leading cybersecurity agencies reveal list of most exploited vulnerabilities of the past 2 years
welivesecurity • 29 Jul 2021

The leading cybersecurity and law enforcement agencies from the United States, the United Kingdom, and Australia have issued a joint cybersecurity advisory focusing on the top 30 vulnerabilities that were commonly abused by threat actors over the course of 2020 and 2021.
The advisory, coauthored by the United States’ Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Center (NCSC) and the Aus...

Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies
The Register • Gareth Corfield • 29 Jul 2021

Get our weekly newsletter And you've patched them all, haven't you, diligent readers?

Western cybersecurity agencies have published a list of 30 of the most exploited vulnerabilities abused by hostile foreign states in 2020, urging infosec bods to ensure their networks and deployments are fully patched against them.
Number one on the US, UK, and Australia's jointly published [PDF] list was the well-known Citrix arbitrary code execution vuln in Application Delivery Controller, aka Netscaler load-balancer. Tracked as CVE-2019-19781, the vuln has been the subject of repeated p...

Top CVEs Trending with Cybercriminals
Threatpost • Becky Bracken • 16 Jul 2021

Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.
An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.
“Our findings reveal...

Risk and reward: Nefilim ransomware gang mainly targets fewer, richer companies and that strategy is paying off, warns Trend Micro
The Register • Gareth Corfield • 09 Jun 2021

Criminal operators emerged from woodwork just as COVID hit the West

The Nefilim ransomware gang might not be the best known or most prolific online extortion crew but their penchant for attacking small numbers of $1bn+ turnover firms is paying off, according tot he latest research.
The crew has made comparatively fewer headlines next to better-known criminals such as Darkside, perpetrators of the infamous US Colonial Pipeline attack, but analysis from security shop Trend Micro has shown the crooks appear to be going for big companies in the hope of extract...

NSA: Top 5 vulnerabilities actively abused by Russian govt hackers
BleepingComputer • Lawrence Abrams • 15 Apr 2021

A joint advisory from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that the Russian Foreign Intelligence Service (SVR) is exploiting five vulnerabilities in attacks against U.S. organizations and interests.
In an advisory issued today, the NSA said that it is aware of the Russian SVR using these vulnerabilities against public-facing services to obtain authentication credentials to ...

D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant
Threatpost • Lindsey O'Donnell • 05 Mar 2021

Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.
Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.
In order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encry...

VMWare Patches Critical RCE Flaw in vCenter Server
Threatpost • Elizabeth Montalbano • 24 Feb 2021

VMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.
Positive Technologies researcher Mikhail Klyuchnikov dis...

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks
Threatpost • Tara Seals • 21 Oct 2020

Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups.
That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
The Feds...

Election Systems Under Attack via Microsoft Zerologon Exploits
Threatpost • Lindsey O'Donnell • 13 Oct 2020

U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft’s severe privilege-escalation flaw, dubbed “Zerologon,” to target elections support systems.
Days after Microsoft sounded the alarm that an Iranian nation-state actor was actively exploiting the flaw (CVE-2020-1472), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.

Ray‑Ban parent company reportedly suffers major ransomware attack
welivesecurity • 24 Sep 2020

Luxottica, the world’s leading eyewear producer, has allegedly fallen victim to a ransomware attack that affected its Italian and Chinese operations alike. The Italy-based eyewear giant – which boasts brands such as Ray-Ban, Oakley, and Persol in its portfolio as well as produces eyeglasses for fashion labels such as Burberry, Prada, Chanel, and Versace – appears to have been hit over the weekend.
Details of the alleged attack are not immediately clear, but according to BleepingCompu...

Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient
The Register • Gareth Corfield • 23 Sep 2020

Same mob promised not to target healthcare facilities

The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one ...

Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient
The Register • Gareth Corfield • 23 Sep 2020

Same mob promised not to target healthcare facilities

The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one ...

Ransomware attack at German hospital leads to death of patient
BleepingComputer • Lawrence Abrams • 17 Sep 2020

A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.
On September 10th, the University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack after threat actors compromised their network a software vulnerability in "a commercial add-on software that is common in the market and used worldwide."
According to Germany's cybersecurity agency Bundesamt für Sicherheit in der Informationstechnik (B...

Where China leads, Iran follows: US warns of 'contract' hackers exploiting Citrix, Pulse Secure and F5 VPNs
The Register • Gareth Corfield • 16 Sep 2020

Please just patch your infrastructure, begs US-CISA What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds

Where Chinese hackers exploit, Iranians aren’t far behind. So says the US Cybersecurity and Infrastructure Security Agency, which is warning that malicious persons from Iran are exploiting a slew of vulns in VPN products from Citrix, F5 Networks and Pulse Secure.
The warning mirrors one issued earlier this week for exactly the same vendors, except with China as the malevolent party instead of Iran.
“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cybe...

Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs
Threatpost • Lindsey O'Donnell • 14 Sep 2020

The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.
Patches are currently available for all these flaws – and in some cases, have been available for over a year – however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the...

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds
The Register • Shaun Nichols in San Francisco • 14 Sep 2020

Beijing's snoops don't even need zero-days to break into valuable networks

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...

Pioneer Kitten APT Sells Corporate Network Access
Threatpost • Elizabeth Montalbano • 01 Sep 2020

An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.
Pioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised network...

Citrix Warns of Critical Flaws in XenMobile Server
Threatpost • Lindsey O'Donnell • 12 Aug 2020

Citrix is urging users to immediately patch a pair of critical flaws in its flagship mobile device management software. If exploited, the flaws could allow remote, unauthorized attackers to access domain account credentials – ultimately opening the door to a treasure trove of corporate data, including email and web applications.
The flaws exist in Citrix Endpoint Management (CEM), often referred to as XenMobile Server, which enables businesses to manage employees’ mobile devices and m...

Hackers Look to Steal COVID-19 Vaccine Research
Threatpost • Tara Seals • 16 Jul 2020

Threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.
That’s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE),  issued Thursday.
The 14-page advisory details the recent activity of Russi...

Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees
The Register • Shaun Nichols in San Francisco • 08 Jul 2020

Eleven flaws cleaned up including one that may be exploited to sling malware downloads Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'

Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products.
The bundle includes fixes for one code injection bug, three information disclosure flaws, three elevation of privilege bugs, two cross-site scripting vulnerabilities, one denial-of-service hole, and one authorization-bypass flaw.
Affected gear includes the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. So far there have been no reports of an...

Citrix Bugs Allow Unauthenticated Code Injection, Data Theft
Threatpost • Tara Seals • 07 Jul 2020

Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.
The Citrix products  (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 coun...

Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
BleepingComputer • Lawrence Abrams • 22 Jun 2020

Indian conglomerate Indiabulls Group has allegedly been hit with a cyberattack from the CLOP Ransomware operators who have leaked screenshots of stolen data.
The Indiabulls Group is an Indian conglomerate with $3.5 billion in revenue (2019), over 19,000 employees, and subsidiaries focusing on housing, personal finance and lending, infrastructure, and pharmaceuticals.
"The Indiabulls Group is a diversified financial services group with interests in housing finance, consumer finance a...

Business services giant Conduent hit by Maze Ransomware
BleepingComputer • Lawrence Abrams • 04 Jun 2020

The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network.
Conduent is a New Jersey, USA based business services firm with 67,000 employees and a 2019 business revenue of $4.47 billion.
Today, Maze Ransomware posted a new entry to their data leak site that states that they breached the network for Conduent in May 2020.
When conducting an attack, the Maze ...

Business services giant Conduent hit by Maze Ransomware
BleepingComputer • Lawrence Abrams • 04 Jun 2020

The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network.
Conduent is a New Jersey, USA based business services firm with 67,000 employees and a 2019 business revenue of $4.47 billion.
Today, Maze Ransomware posted a new entry to their data leak site that states that they breached the network for Conduent in May 2020.
When conducting an attack, the Maze ...

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch
The Register • Shaun Nichols in San Francisco • 14 May 2020

Update, update, update. Plus: Flash, Struts, Drupal also make appearances Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...

Surprise surprise! Hostile states are hacking coronavirus vaccine research, warn UK and USA intelligence
The Register • Gareth Corfield • 05 May 2020

Just ask us if you need help, urge NCSC and CISA

Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations.
Hostile countries are also said to be abusing a specific Citrix vulnerability ...

Surprise surprise! Hostile states are hacking coronavirus vaccine research, warn UK and USA intelligence
The Register • Gareth Corfield • 05 May 2020

Just ask us if you need help, urge NCSC and CISA Vietnam alleged to have hacked Chinese organisations in charge of COVID-19 response

Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations.
Hostile countries are also said to be abusing a specific Citrix vulnerability ...

Google: We've blocked 126 million COVID-19 phishing scams in the last week
The Register • Paul Kunert • 17 Apr 2020

240 million daily virus themed spams as 'bad actors' feed on people's fear

In the past week, some 18 million COVID-19 phishing emails were sent via Gmail to unsuspecting marks, according to Google.
"No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19," said Neil Kumaran, products manager for Gmail, and Sam Lugani, lead security PMM, G Suite and CP platform, today.
The pair said phishing is still the "most effective method" that scammers deploy to compromise accounts and grab data and resources f...

Google: We've blocked 126 million COVID-19 phishing scams in the past week
The Register • Paul Kunert • 17 Apr 2020

240 million daily virus themed spams as 'bad actors' feed on people's fear ASEAN economic bloc calls for regional fake news crushing co-operation

In the past week, an average of 18 million COVID-19 phishing emails were sent per day via Gmail to unsuspecting marks, according to Google.
"No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19," said Neil Kumaran, products manager for Gmail, and Sam Lugani, lead security PMM, G Suite and CP platform, today.
The pair said phishing is still the "most effective method" that scammers deploy to compromise accounts and grab dat...

Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign
Threatpost • Lindsey O'Donnell • 25 Mar 2020

Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in “one of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.”
Between Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it’s unclear if APT41 attempted exploitation en ma...

UK Fintech Firm Finastra Hit By Ransomware, Shuts Down Servers
BleepingComputer • Sergiu Gatlan • 20 Mar 2020

Finastra, a leading financial technology provider from the UK, announced that it had to take several servers offline following a ransomware attack detected earlier today.
The fintech company
financial software and services to more than 9,000 customers of all sizes from 130 countries across the globe, including 90 of the top 100 banks globally.
Finastra also has over 10,000 employees working from 42 offices, including London, New York, and Toronto, and a $1.9 billion in rev...

The Week in Ransomware - February 28th 2020 - Data Leaks Everywhere
BleepingComputer • Lawrence Abrams • 28 Feb 2020

Over the past two weeks, we continue to see small towns, fire departments, hospitals, and companies being attacked by ransomware.
As more ransomware operators adopt the technique of stealing data and
on
, organizations face increased pressure to
after a ransom attack.
More than ever, organizations need to tighten the security on their network to avoid compromise as ransomware attacks no longer just affect the attacked companies, but also their employees.
...

DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw
BleepingComputer • Sergiu Gatlan • 26 Feb 2020

Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.
is a privately held French cloud hosting and enterprise telecommunications company that provides telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers, operating around 10,000 managed servers.
In their case, it's a story with a happy outco...

Good: IT admins scrambled to patch 80 per cent of public-facing Citrix boxes to close nightmare hijack hole
The Register • Shaun Nichols in San Francisco • 06 Feb 2020

Bad: The other 20 per cent are still wide open. Also bad: Some of those patched machines may have been hacked

Roughly a fifth of the public-facing Citrix devices vulnerable to the CVE-2019-19781 remote-hijacking flaw, aka Shitrix, remain unpatched and open to remote attack.
Positive Technologies today estimated that thousands of companies remain open to the takeover vulnerability in Citrix ADC and Gateway. A successful exploit would give hackers a foothold in a compromised network.
The infosec biz, whose researchers discovered and disclosed the vulnerability in December of last year, has bee...

Good: IT admins scrambled to patch 80 per cent of public-facing Citrix boxes to close nightmare hijack hole
The Register • Shaun Nichols in San Francisco • 06 Feb 2020

Bad: The other 20 per cent are still wide open. Also bad: Some of those patched machines may have been hacked 'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind

Roughly a fifth of the public-facing Citrix devices vulnerable to the CVE-2019-19781 remote-hijacking flaw, aka Shitrix, remain unpatched and open to remote attack.
Positive Technologies today estimated that thousands of companies remain open to the takeover vulnerability in Citrix ADC and Gateway. A successful exploit would give hackers a foothold in a compromised network.
The infosec biz, whose researchers discovered and disclosed the vulnerability in December of last year, has bee...

The Week in Ransomware - January 31st 2020 - Taking it to The Courts
BleepingComputer • Lawrence Abrams • 31 Jan 2020

This week we saw victims continuing to use the legal system to target ransomware operators' assets and services as well as a new ransomware targeting vulnerabilities.
The most interesting news is how victims are utilizing the legal system to freeze or get injunctions against the assets and services used by ransomware operators. This was seen in the previous
and this week with a UK judge
for Bitpaymer.
Also of interest, we saw actors exploiting the Citrix ADC vulnerabi...

Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
BleepingComputer • Lawrence Abrams • 28 Jan 2020

A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit.
Last week, FireEye released a report about new attacks exploiting the now patched
to 
on vulnerable networks.
When attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability.
If detected, th...

City of Potsdam Servers Offline Following Cyberattack
BleepingComputer • Sergiu Gatlan • 24 Jan 2020

The City of Potsdam severed the administration servers' Internet connection following a cyberattack that took place earlier this week. Emergency services including the city's fire department fully operational and payments are not affected.
is the largest city and the capital of the German federal state of Brandenburg, bordering the German capital, Berlin.
The systems of the Brandenburg capital are still offline after the unauthorized access to the Potsdam administration's servers w...

Citrix Releases Final Patch as Ransomware Attacks Ramp Up
BleepingComputer • Sergiu Gatlan • 24 Jan 2020

Citrix released the final permanent fix for the actively exploited
, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.
"Today, we released the permanent fix for Citrix Application Delivery Controller (ADC) version 10.5 to address the CVE-2019-19781 vulnerability," Citrix's CISO Fermin J. Serna
.
"We have now released permanent fixes for all supported versions of ADC, Gateway, and SD-WAN WA...

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned
The Register • Shaun Nichols in San Francisco • 23 Jan 2020

Handy FireEye tool roots out indicators of compromise

Citrix and FireEye have released a new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only patched on Monday.
The free application, shared under the Apache 2.0 open-source license, will scan devices for indications of compromise for the so-called "Shitrix" arbitrary code execution vulnerability in Citrix's Application Delivery Controller and Gateway products. The tool can be run on any Citr...

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned
The Register • Shaun Nichols in San Francisco • 23 Jan 2020

Handy FireEye tool roots out indicators of compromise As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

Citrix and FireEye have released a new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only patched on Monday.
The free application, shared under the Apache 2.0 open-source license, will scan devices for indications of compromise for the so-called "Shitrix" arbitrary code execution vulnerability in Citrix's Application Delivery Controller and Gateway products. The tool can be run on any Citr...

PoC Exploits Do More Good Than Harm: Threatpost Poll
Threatpost • Lindsey O'Donnell • 22 Jan 2020

When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.
Last week, Threatpost conducted a reader poll and almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea.
The debate comes on the heels of PoC code being released last we...

Citrix Releases Scanner to Detect Hacked Citrix ADC Appliances
BleepingComputer • Sergiu Gatlan • 22 Jan 2020

Citrix released a free scanner for detecting compromised Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances by digging for indicators of compromise (IoC) collected in incident response engagements related to CVE-2019-19781 exploitation.
The tool was developed in collaboration with FireEye and it is designed to be used locally to scan their organizations Citrix instances, one appliance at a time, to get assessments of potential indications of co...

Citrix Accelerates Patch Rollout For Critical RCE Flaw
Threatpost • Lindsey O'Donnell • 21 Jan 2020

Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.
Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timefr...

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC
The Register • Gareth Corfield • 20 Jan 2020

SD-WAN WANOP will have to wait a few days, though

Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open for later exploitation.
As previously reported, vulnerabilities in Citrix Application Delivery Encoder and Citrix Gateway could allow remote attackers to carry out unauthenticated code execution.
In other words, baddies not on your network could get into it and start running all kinds of malicious soft...

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC
The Register • Gareth Corfield • 20 Jan 2020

SD-WAN WANOP will have to wait a few days, though

Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open for later exploitation.
As previously reported, vulnerabilities in Citrix Application Delivery Encoder and Citrix Gateway could allow remote attackers to carry out unauthenticated code execution.
In other words, baddies not on your network could get into it and start running all kinds of malicious soft...

Citrix Patches CVE-2019-19781 Flaw in Citrix ADC 11.1 and 12.0
BleepingComputer • Sergiu Gatlan • 19 Jan 2020

Citrix released permanent fixes for the
 impacting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances and allowing unauthenticated attackers to perform arbitrary code execution.
"Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads
and
," Citrix's CISO Fermin J. Serna says in an
published today.
"These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted o...

'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
The Register • Shaun Nichols in San Francisco • 17 Jan 2020

Congratulations, you've won a secret backdoor

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
The Register • Shaun Nichols in San Francisco • 17 Jan 2020

Congratulations, you've won a secret backdoor

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

Hackers Are Securing Citrix Servers, Backdoor Them for Access
BleepingComputer • Sergiu Gatlan • 17 Jan 2020

An unknown threat actor is currently scanning for and securing vulnerable Citrix ADC servers against CVE-2019-19781 exploitation attempts, while also backdooring them for future access.
The actor deploys a payload dubbed NOTROBIN by FireEye researchers who discovered this campaign, an implant designed to clean the Citrix ADC appliances of malware strains known to target such devices and to mitigate the
flaw to block subsequent exploitation efforts.
NOTROBIN also plants a back...

'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
The Register • Shaun Nichols in San Francisco • 17 Jan 2020

Congratulations, you've won a secret backdoor Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
The Register • Shaun Nichols in San Francisco • 17 Jan 2020

Congratulations, you've won a secret backdoor Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit
The Register • Shaun Nichols in San Francisco • 16 Jan 2020

Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder

Vid Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time.
While IT admins can use the proof-of-concept exploit code to check their own systems are secure, miscreants can use them to, in the case of Citrix, hijack remote systems, or in the case of Windows, masquerade malware as legit apps or potentially ...

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit
The Register • Shaun Nichols in San Francisco • 16 Jan 2020

Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...

Vid Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time.
While IT admins can use the proof-of-concept exploit code to check their own systems are secure, miscreants can use them to, in the case of Citrix, hijack remote systems, or in the case of Windows, masquerade malware as legit apps or potentially ...

Unpatched Citrix Flaw Now Has PoC Exploits
Threatpost • Lindsey O'Donnell • 13 Jan 2020

Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.
The vulnerability (CVE-2019-19781), which Threatpost reported on in December, already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to impr...

If you haven't shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available
The Register • Shaun Nichols in San Francisco • 13 Jan 2020

Plus: TikTok clocked, Honey in a sticky situation, Arm's PAN mechanisms sidestepped

Roundup Welcome to another Register security roundup. Here are a few stories that caught our eye.
Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in both its Application Delivery Controller and Unified Gateway (formerly known as Netscaler ADC and Netscaler Gateway) offerings. Up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.
Those admins who haven't put mitigations in place by now will want to make su...

If you haven't shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available
The Register • Shaun Nichols in San Francisco • 13 Jan 2020

Plus: TikTok clocked, Honey in a sticky situation, Arm's PAN mechanisms sidestepped

Roundup Welcome to another Register security roundup. Here are a few stories that caught our eye.
Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in its Application Delivery Controller and Unified Gateway offerings (VPN products formerly known as Netscaler ADC and Netscaler Gateways). Up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.
Those admins who haven't put mitigations in place by now will want t...

CISA Releases Test Tool for Citrix ADC CVE-2019-19781 Vulnerability
BleepingComputer • Sergiu Gatlan • 13 Jan 2020

DHS CISA released a public domain tool designed to help security staff to test if their organizations are vulnerable to ongoing attacks that might target the CVE-2019-19781 security flaw impacting the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) products.
"The Cybersecurity and Infrastructure Security Agency (CISA)
that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix G...

Citrix ADC CVE-2019-19781 Exploits Released, Fix Now!
BleepingComputer • Lawrence Abrams • 11 Jan 2020

Numerous working exploits for the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability are finally here and have been publicly posted in numerous locations. There is no patch available for this vulnerability, but Citrix has provided mitigations, which should be applied now!
If successfully exploited, this vulnerability allows unauthenticated users to utilize directory traversal to perform arbitrary code execution.
Since late December,
and
 have been warning that an exp...

Attackers Are Scanning for Vulnerable Citrix Servers, Secure Now
BleepingComputer • Sergiu Gatlan • 08 Jan 2020

Security researchers have observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks exploiting
 during the last week.
This vulnerability impacts multiple Citrix products and it could potentially
according to a Positive Technologies report from December.
As the security outfit said at the time, "at least 80,000 companies in 158 countries are potentially at risk," with the ...

Critical Citrix Bug Puts 80,000 Corporate LANs at Risk
Threatpost • Tara Seals • 26 Dec 2019

Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company’s local network and carry out arbitrary code execution.
The Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at leas...

Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers
The Register • Tim Anderson • 23 Dec 2019

Unauthorised users able to perform 'arbitrary code execution'

A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.
Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any app...

Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers
The Register • Tim Anderson • 23 Dec 2019

Unauthorised users able to perform 'arbitrary code execution'

A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.
Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any app...

Critical Citrix Flaw May Expose Thousands of Firms to Attacks
BleepingComputer • Sergiu Gatlan • 23 Dec 2019

A newly discovered vulnerability impacting the Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway) could potentially expose the networks of over 80,000 firms to hacking attacks.
The vulnerability, currently tracked as 
, could allow remote attackers with access to a company's internal network without requiring authentication. 
If successfully exploited, it leads to arbitrary code execution according to Positive Technologies' sec...

Citrix patches critical ADC flaw the NSA says is already under attack from China
The Register

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Yet more pain for the software formerly known as NetScaler

The China-linked crime gang APT5 is already attacking a flaw in Citrix's Application Delivery Controller (ADC) and Gateway products that the vendor patched today.
Citrix says the flaw, CVE-2022-27518, "could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance" if it is configured as a SAML service provider or identity provider (SAML SP, SAML IdP).
Unusually, Citrix has a policy of not revealing the Common Vulnerability Scoring System (CVSS) s...

Patching the Citrix ADC Bug Doesn't Mean You Weren't Hacked
BleepingComputer • Ionut Ilascu • 01 Jan 1970

Citrix on Friday released the final patch for the critical vulnerability tracked as CVE-2019-19781 in its affected appliances. Many organizations are still at risk, though, as they continue to run Citrix servers without a fix or the advised mitigations.
This security flaw is as bad as it can be since it allows unauthenticated attackers to directly access a company’s local network from the internet and run code via directory traversal.
It affects the Citrix Application Delivery Cont...

Russian state hackers switch targets after US joint advisories
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Russian Foreign Intelligence Service (SVR) operators have switched their attacks to target new vulnerabilities in reaction to US govt advisories published last month with info on SVR tactics, tools, techniques, and capabilities used in ongoing attacks.
The warning comes after US and UK governments
and COVID-19 vaccine developer targeting to Russian SVR (aka APT29, Cozy Bear, and The Dukes) operators' cyber-espionage efforts on April 15.
On the same day, the NSA, CISA, and the...

The Register

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...

Vulnerable perimeter devices: a huge attack surface
BleepingComputer • Ionut Ilascu • 01 Jan 1970

With the increase of critical gateway devices deployed to support off-premise work, companies across the world have to adapt to a new threat landscape where perimeter and remote access devices are now in the first line.
Companies lack visibility into the growing network of internet-connected services and devices that support the new work paradigm; and the avalanche of vulnerabilities reported for edge devices makes tackling the new security challenge even more difficult.
In research ...

The Register

Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products.
The bundle includes fixes for one code injection bug, three information disclosure flaws, three elevation of privilege bugs, two cross-site scripting vulnerabilities, one denial-of-service hole, and one authorization-bypass flaw.
Affected gear includes the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. So far there have been no reports of an...

The Register

The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one ...

Dutch Govt Suggests Turning Off Citrix ADC Devices, Mitigations May Fail
BleepingComputer • Ionut Ilascu • 01 Jan 1970

Mitigation recommendations for CVE-2019-19781, a currently unpatched critical flaw affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway, do not have the expected effect on all product versions.
In an updated advisory today, the software company informs that it found a new product that is vulnerable to the same security issue and that the advised actions do not work on some versions of Citrix ADC.
Until patches become available, the company sticks to the
 ...

The Register

The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that allegedly led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the dea...

The Register

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...

The Register

Where Chinese hackers exploit, Iranians aren’t far behind. So says the US Cybersecurity and Infrastructure Security Agency, which is warning that malicious persons from Iran are exploiting a slew of vulns in VPN products from Citrix, F5 Networks and Pulse Secure.
The warning mirrors one issued earlier this week for exactly the same vendors, except with China as the malevolent party instead of Iran.
“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cybe...