An issue exists in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
citrix application_delivery_controller_firmware 10.5 |
||
citrix application_delivery_controller_firmware 11.1 |
||
citrix application_delivery_controller_firmware 12.0 |
||
citrix application_delivery_controller_firmware 12.1 |
||
citrix application_delivery_controller_firmware 13.0 |
||
citrix netscaler_gateway_firmware 10.5 |
||
citrix netscaler_gateway_firmware 11.1 |
||
citrix netscaler_gateway_firmware 12.0 |
||
citrix netscaler_gateway_firmware 12.1 |
||
citrix gateway_firmware 13.0 |
A look at the cyber security trends from the first three months of 2020.
Posted: 9 Jun, 20203 Min ReadThreat Intelligence SubscribeThreat Landscape Trends – Q1 2020A look at the cyber security trends from the first three months of 2020.Towards the end of the first quarter of 2020, we took a look through telemetry from our vast range of data sources and selected some of the trends that stood out.
From COVID-19-themed malicious email and BEC scams to vulnerability exploits and IoT attacks, let’s take a q...
A joint advisory from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that the Russian Foreign Intelligence Service (SVR) is exploiting five vulnerabilities in attacks against U.S. organizations and interests.
In an advisory issued today, the NSA said that it is aware of the Russian SVR using these vulnerabilities against public-facing services to obtain authentication credentials to ...
Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.
Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.
In order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encry...
VMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.
Positive Technologies researcher Mikhail Klyuchnikov dis...
Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups.
That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
The Feds...
U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft’s severe privilege-escalation flaw, dubbed “Zerologon,” to target elections support systems.
Days after Microsoft sounded the alarm that an Iranian nation-state actor was actively exploiting the flaw (CVE-2020-1472), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.
Luxottica, the world’s leading eyewear producer, has allegedly fallen victim to a ransomware attack that affected its Italian and Chinese operations alike. The Italy-based eyewear giant – which boasts brands such as Ray-Ban, Oakley, and Persol in its portfolio as well as produces eyeglasses for fashion labels such as Burberry, Prada, Chanel, and Versace – appears to have been hit over the weekend.
Details of the alleged attack are not immediately clear, but according to BleepingCompu...
A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.
On September 10th, the University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack after threat actors compromised their network a software vulnerability in "a commercial add-on software that is common in the market and used worldwide."
According to Germany's cybersecurity agency Bundesamt für Sicherheit in der Informationstechnik (B...
The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.
Patches are currently available for all these flaws – and in some cases, have been available for over a year – however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the...
An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.
Pioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised network...
Citrix is urging users to immediately patch a pair of critical flaws in its flagship mobile device management software. If exploited, the flaws could allow remote, unauthorized attackers to access domain account credentials – ultimately opening the door to a treasure trove of corporate data, including email and web applications.
The flaws exist in Citrix Endpoint Management (CEM), often referred to as XenMobile Server, which enables businesses to manage employees’ mobile devices and m...
Threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.
That’s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE), issued Thursday.
The 14-page advisory details the recent activity of Russi...
Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.
The Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 coun...
Indian conglomerate Indiabulls Group has allegedly been hit with a cyberattack from the CLOP Ransomware operators who have leaked screenshots of stolen data.
The Indiabulls Group is an Indian conglomerate with $3.5 billion in revenue (2019), over 19,000 employees, and subsidiaries focusing on housing, personal finance and lending, infrastructure, and pharmaceuticals.
"The Indiabulls Group is a diversified financial services group with interests in housing finance, consumer finance a...
The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network.
Conduent is a New Jersey, USA based business services firm with 67,000 employees and a 2019 business revenue of $4.47 billion.
Today, Maze Ransomware posted a new entry to their data leak site that states that they breached the network for Conduent in May 2020.
When conducting an attack, the Maze ...
The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network.
Conduent is a New Jersey, USA based business services firm with 67,000 employees and a 2019 business revenue of $4.47 billion.
Today, Maze Ransomware posted a new entry to their data leak site that states that they breached the network for Conduent in May 2020.
When conducting an attack, the Maze ...
Just ask us if you need help, urge NCSC and CISA
Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations.
Hostile countries are also said to be abusing a specific Citrix vulnerability ...
240 million daily virus themed spams as 'bad actors' feed on people's fear
In the past week, some 18 million COVID-19 phishing emails were sent via Gmail to unsuspecting marks, according to Google.
"No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19," said Neil Kumaran, products manager for Gmail, and Sam Lugani, lead security PMM, G Suite and CP platform, today.
The pair said phishing is still the "most effective method" that scammers deploy to compromise accounts and grab data and resources f...
Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in “one of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.”
Between Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it’s unclear if APT41 attempted exploitation en ma...
Finastra, a leading financial technology provider from the UK, announced that it had to take several servers offline following a ransomware attack detected earlier today.
The fintech company
financial software and services to more than 9,000 customers of all sizes from 130 countries across the globe, including 90 of the top 100 banks globally.
Finastra also has over 10,000 employees working from 42 offices, including London, New York, and Toronto, and a $1.9 billion in rev...
Over the past two weeks, we continue to see small towns, fire departments, hospitals, and companies being attacked by ransomware.
As more ransomware operators adopt the technique of stealing data and
on
, organizations face increased pressure to
after a ransom attack.
More than ever, organizations need to tighten the security on their network to avoid compromise as ransomware attacks no longer just affect the attacked companies, but also their employees.
...
Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.
is a privately held French cloud hosting and enterprise telecommunications company that provides telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers, operating around 10,000 managed servers.
In their case, it's a story with a happy outco...
Bad: The other 20 per cent are still wide open. Also bad: Some of those patched machines may have been hacked
Roughly a fifth of the public-facing Citrix devices vulnerable to the CVE-2019-19781 remote-hijacking flaw, aka Shitrix, remain unpatched and open to remote attack.
Positive Technologies today estimated that thousands of companies remain open to the takeover vulnerability in Citrix ADC and Gateway. A successful exploit would give hackers a foothold in a compromised network.
The infosec biz, whose researchers discovered and disclosed the vulnerability in December of last year, has bee...
This week we saw victims continuing to use the legal system to target ransomware operators' assets and services as well as a new ransomware targeting vulnerabilities.
The most interesting news is how victims are utilizing the legal system to freeze or get injunctions against the assets and services used by ransomware operators. This was seen in the previous
and this week with a UK judge
for Bitpaymer.
Also of interest, we saw actors exploiting the Citrix ADC vulnerabi...
A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit.
Last week, FireEye released a report about new attacks exploiting the now patched
to
on vulnerable networks.
When attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability.
If detected, th...
The City of Potsdam severed the administration servers' Internet connection following a cyberattack that took place earlier this week. Emergency services including the city's fire department fully operational and payments are not affected.
is the largest city and the capital of the German federal state of Brandenburg, bordering the German capital, Berlin.
The systems of the Brandenburg capital are still offline after the unauthorized access to the Potsdam administration's servers w...
Citrix released the final permanent fix for the actively exploited
, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.
"Today, we released the permanent fix for Citrix Application Delivery Controller (ADC) version 10.5 to address the CVE-2019-19781 vulnerability," Citrix's CISO Fermin J. Serna
.
"We have now released permanent fixes for all supported versions of ADC, Gateway, and SD-WAN WA...
Handy FireEye tool roots out indicators of compromise
Citrix and FireEye have released a new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only patched on Monday.
The free application, shared under the Apache 2.0 open-source license, will scan devices for indications of compromise for the so-called "Shitrix" arbitrary code execution vulnerability in Citrix's Application Delivery Controller and Gateway products. The tool can be run on any Citr...
When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.
Last week, Threatpost conducted a reader poll and almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea.
The debate comes on the heels of PoC code being released last we...
Citrix released a free scanner for detecting compromised Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances by digging for indicators of compromise (IoC) collected in incident response engagements related to CVE-2019-19781 exploitation.
The tool was developed in collaboration with FireEye and it is designed to be used locally to scan their organizations Citrix instances, one appliance at a time, to get assessments of potential indications of co...
Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.
Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timefr...
SD-WAN WANOP will have to wait a few days, though
Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open for later exploitation.
As previously reported, vulnerabilities in Citrix Application Delivery Encoder and Citrix Gateway could allow remote attackers to carry out unauthenticated code execution.
In other words, baddies not on your network could get into it and start running all kinds of malicious soft...
Citrix released permanent fixes for the
impacting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances and allowing unauthenticated attackers to perform arbitrary code execution.
"Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads
and
," Citrix's CISO Fermin J. Serna says in an
published today.
"These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted o...
Congratulations, you've won a secret backdoor
Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.
Congratulations, you've won a secret backdoor
Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.
An unknown threat actor is currently scanning for and securing vulnerable Citrix ADC servers against CVE-2019-19781 exploitation attempts, while also backdooring them for future access.
The actor deploys a payload dubbed NOTROBIN by FireEye researchers who discovered this campaign, an implant designed to clean the Citrix ADC appliances of malware strains known to target such devices and to mitigate the
flaw to block subsequent exploitation efforts.
NOTROBIN also plants a back...
Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder
Vid Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time.
While IT admins can use the proof-of-concept exploit code to check their own systems are secure, miscreants can use them to, in the case of Citrix, hijack remote systems, or in the case of Windows, masquerade malware as legit apps or potentially ...
Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.
The vulnerability (CVE-2019-19781), which Threatpost reported on in December, already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to impr...
Plus: TikTok clocked, Honey in a sticky situation, Arm's PAN mechanisms sidestepped
Roundup Welcome to another Register security roundup. Here are a few stories that caught our eye.
Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in both its Application Delivery Controller and Unified Gateway (formerly known as Netscaler ADC and Netscaler Gateway) offerings. Up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.
Those admins who haven't put mitigations in place by now will want to make su...
DHS CISA released a public domain tool designed to help security staff to test if their organizations are vulnerable to ongoing attacks that might target the CVE-2019-19781 security flaw impacting the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) products.
"The Cybersecurity and Infrastructure Security Agency (CISA)
that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix G...
Numerous working exploits for the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability are finally here and have been publicly posted in numerous locations. There is no patch available for this vulnerability, but Citrix has provided mitigations, which should be applied now!
If successfully exploited, this vulnerability allows unauthenticated users to utilize directory traversal to perform arbitrary code execution.
Since late December,
and
have been warning that an exp...
Security researchers have observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks exploiting
during the last week.
This vulnerability impacts multiple Citrix products and it could potentially
according to a Positive Technologies report from December.
As the security outfit said at the time, "at least 80,000 companies in 158 countries are potentially at risk," with the ...
Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company’s local network and carry out arbitrary code execution.
The Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at leas...
Unauthorised users able to perform 'arbitrary code execution'
A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.
Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any app...
A newly discovered vulnerability impacting the Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway) could potentially expose the networks of over 80,000 firms to hacking attacks.
The vulnerability, currently tracked as
, could allow remote attackers with access to a company's internal network without requiring authentication.
If successfully exploited, it leads to arbitrary code execution according to Positive Technologies' sec...
Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...
Mitigation recommendations for CVE-2019-19781, a currently unpatched critical flaw affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway, do not have the expected effect on all product versions.
In an updated advisory today, the software company informs that it found a new product that is vulnerable to the same security issue and that the advised actions do not work on some versions of Citrix ADC.
Until patches become available, the company sticks to the
...
Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products.
The bundle includes fixes for one code injection bug, three information disclosure flaws, three elevation of privilege bugs, two cross-site scripting vulnerabilities, one denial-of-service hole, and one authorization-bypass flaw.
Affected gear includes the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. So far there have been no reports of an...
Citrix on Friday released the final patch for the critical vulnerability tracked as CVE-2019-19781 in its affected appliances. Many organizations are still at risk, though, as they continue to run Citrix servers without a fix or the advised mitigations.
This security flaw is as bad as it can be since it allows unauthenticated attackers to directly access a company’s local network from the internet and run code via directory traversal.
It affects the Citrix Application Delivery Cont...
With the increase of critical gateway devices deployed to support off-premise work, companies across the world have to adapt to a new threat landscape where perimeter and remote access devices are now in the first line.
Companies lack visibility into the growing network of internet-connected services and devices that support the new work paradigm; and the avalanche of vulnerabilities reported for edge devices makes tackling the new security challenge even more difficult.
In research ...
The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...
Where Chinese hackers exploit, Iranians aren’t far behind. So says the US Cybersecurity and Infrastructure Security Agency, which is warning that malicious persons from Iran are exploiting a slew of vulns in VPN products from Citrix, F5 Networks and Pulse Secure.
The warning mirrors one issued earlier this week for exactly the same vendors, except with China as the malevolent party instead of Iran.
“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cybe...
The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one ...
Russian Foreign Intelligence Service (SVR) operators have switched their attacks to target new vulnerabilities in reaction to US govt advisories published last month with info on SVR tactics, tools, techniques, and capabilities used in ongoing attacks.
The warning comes after US and UK governments
and COVID-19 vaccine developer targeting to Russian SVR (aka APT29, Cozy Bear, and The Dukes) operators' cyber-espionage efforts on April 15.
On the same day, the NSA, CISA, and the...
The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that allegedly led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the dea...
Vulmon
