Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Citrix. Show all posts

Researcher Claims: Teens with “Digital Bazookas” are Winning Ransomware War


One thing that Boeing, the Australian shipping company, the world’s largest bank and the world’s biggest law firm share in common is that they have all suffered a cybersecurity incident, at least once. And, these breaches have apparently been conducted by a teenage hacker, all due to the companies’ failure in patching a critical vulnerability that their security professionals warned about weeks ago, according to a post published by doublepulsar on Monday. 

According to Kevin Beaumont, a freelance security researcher, Some other notable victims of cybersecurity breaches include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm.

These four companies have recently admitted to being struck with at least one security incident. Also, China's ICBC has allegedly paid an undisclosed amount of ransom to retrieve their encryption keys for data that remained unavailable since the breach. 

Beaumont stated the four businesses are among the ten victims he is aware of that are presently being blackmailed by LockBit, one of the most active and destructive ransomware crime syndicates in the world, citing data that allows the tracking of ransomware operators and those familiar with the breaches. Despite a fix being available since October 10, Beaumont claimed that all four of the organizations had yet to apply it to a critical vulnerability. The companies used the networking solution Citrix Netscaler.

CitrixBleed Bug

With a 9.4 severity rating out of 10, CitrixBleed is an easy-to-exploit vulnerability that reveals session tokens that can be used to negate any multifactor authentication mechanisms inside a vulnerable network. Within the affected victim's internal network, attackers are left with the equivalent of a point-and-click desktop PC and are free to move around.

In his post, Beaumont wrote:

Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.

Focusing on cybersecurity fundamentals for enterprise-scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large-scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.

The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.

Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose. 

Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late '90s—while also advertising themselves as the experts. Marketing is a hell of a drug.

Beaumont further highlighted query results from the Shodan search service, which showed that at the time of the intrusion, none of the four firms had installed a CitrixBleed patch. The CVE-2023-4966 vulnerability is being monitored.

The researcher additionally condemned Citrix for Netscaler's logging features, which he claimed made it practically impossible for consumers to determine whether they had been hacked. Because of this, it is possible that some users of the CitrixBleed patch were unaware that LockBit was already present on their networks.

However, Boeing refused to comment on the post.

In the case of Citric and Allen& Overy, the emails sent were left unanswered when the post reached Arstechnica. The tech forum further notes that requests for comment from DP World and ICBC were also not immediately followed.

LockBit uses tools like Atera, which offers interactive PowerShell interfaces without triggering antivirus or endpoint detection alerts, to escalate its access to other parts of the compromised network after the CitrixBleed exploit first provides remote access through Virtual Desktop Infrastructure software. This access persists until administrators take specific steps, even after CitrixBleed is patched.  

Patch ASAP: Critical Citrix and VMware Bugs Threaten Takeover of Remote Workspaces


Critical authentication-bypass vulnerabilities in Citrix and VMware offerings are threatening devices running remote workspaces with complete takeover, the vendors warned this week. 

Given both vendors’ history of exploitation, admits are warned of prioritizing patching, alerts both disclosures prompted CISA on Wednesday. 

Citrix Gateway, A Perfect Avenue for Infesting Orgs: 

As for Citrix, a critical vulnerability tracked as CVE-2022-27510 (with a CVSS vulnerability-severity score of 9.8 out of 10) allows unauthorized access to the Citrix Gateway when device is used as SSL VPN solution. Consequently, allowing access to the internal company applications from any device through the Internet, and offering single sign-on across applications and devices. 

This way the vulnerability would give a threat actor means to easily access initial data, then dig deeper into an organization’s cloud footprint and create nuisance across the network. 

In a published advisory, Citrix also noted that its Application Delivery Controller (ADC) product, that provides admin visibility into applications across multiple cloud instances, is vulnerable to remote desktop takeover (CVE-2022-27513, CVSS 8.3), and brute force protection bypass (CVE-2022-27516, CVSS 5.3). 

According to researcher Satnam Narang, Citrix Gateway and ADC have always been a favorite target to cybercriminals, thanks to how many parts of an organization they provide entrée into. Thus, marking the importance of patching. 

"Citrix ADC and Gateways have been routinely targeted by a number of threat actors over the last few years through the exploitation of CVE-2019-19781, a critical path traversal vulnerability that was first disclosed in December 2019 and subsequently exploited beginning in January 2020 after exploit scripts for the flaw became publicly available," Narang wrote in a Wednesday blog. 

"CVE-2019-19781 has been leveraged by state-sponsored threat with ties to China and Iran, as part of ransomware attacks against various entities including the healthcare sector, and was recently included as part of an updated list of the top vulnerabilities exploited by the People’s Republic of China state-sponsored actors from early October," he added. 

Users should be quick in updating to Gateway versions 13.1-33.47, 13.0-88.12, and 12.1-65.21 to patch the latest issues. 

VMware Workspace ONE Assist, a trio of cybercrime threat: 

On the other hand, VMware has reported three authentication-bypass bugs, all in its Workspace ONE Assist for Windows. The bugs (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, all with CVSS 9.8) allows both local and remote attackers to gain administrative access privileges without the need to authenticate, giving them full run of targeted devices. 

Workspace ONE Assist is a remote desktop product that is mainly used by tech support to troubleshoot and fix issues relating to IT, for employees from afar. As such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources. 

Moreover, VMware revealed two additional vulnerabilities in Workspace ONE Assist. One is a cross-site scripting (XSS) flaw (CVE-2022-31688, CVSS 6.4), and the other (CVE-2022-31689, CVSS 4.2) that allows a "malicious actor who obtains a valid session token to authenticate to the application using that token," notes vendor’s Tuesday advisory. 

VMware as well has a history of being a target to cybercriminals. A proof-of-concept (PoC) exploit was almost immediately published on GitHub and tweeted out to the world after a major Workspace ONE Access vulnerability (used to distribute corporate apps to distant employees) identified as CVE-2022-22954 was revealed in April. 

Consequently, researchers from multiple security firms started looking for probes and exploit attempts very soon thereafter — with an ultimate motive of infecting targets with numerous or establishing a backdoor via Log4Shell. 

Online users are advised to update their Workspace ONE Assist to version 22.10 in order to patch all of the most recently disclosed problems.   

Critical Citrix DDoS Flaw Collapses Network Access

 

Cyberattackers could use a significant security flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway to disrupt entire corporate networks without requiring them to authenticate. 

The two Citrix solutions in issue (previously the NetScaler ADC and Gateway) are used to manage application-aware traffic and provide secure remote access, respectively. According to the alert, the federated working specialist released a security patch on Tuesday for the CVE-2021-22955 vulnerability, which permits unauthenticated denial of service (DoS) due to uncontrolled resource consumption. 

Citrix also fixed an issue of a lower severity that was caused by unmanaged resource usage. It affects both prior Citrix SD-WAN WANOP Edition products and the Citrix SD-WAN WANOP Edition appliance. The latter offers optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.

The second vulnerability, labelled CVE-2021-22956, allows for temporary interruption of a device's management GUI; the Nitro API for configuring and monitoring NetScaler appliances; and remote procedure call (RPC) communication, which is what facilitates Citrix's distributed computing in Citrix settings. 

In terms of exploitation's effect, all three products are extensively used over the world, with Gateway and ADC deployed in at least 80,000 firms in 158 countries as of early 2020, as per Positive Technologies analysis at the time. 

Any of the equipment being down could hinder remote and branch access to corporate assets and the blocking of cloud and virtual assets and apps in general. All of this makes them a tempting target for cybercriminals, and the Citrix ADC and Gateway, in particular, are far from novices when it comes to severe vulnerabilities. 

About affected versions: 

Though Citrix did not provide technical information on the new vulnerabilities, VulnDB stated on Wednesday that “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” 

Despite Citrix's internal classification of "critical," it gave the issue a severity score of 5.1 out of 10. The site stated that vulnerabilities are worth up to $5,000, and that "manipulation with an unknown input leads in a denial of service vulnerability...This will have a negative influence on availability." 

The vulnerabilities, according to the vendor, impact the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956): 
• Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 
• Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 
• Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 
• Citrix ADC 12.1-FIPS before 12.1-55.257 

Citrix SD-WAN WANOP Edition (CVE-2021-22956): 
• Models 4000-WO, 4100-WO, 5000-WO and 5100-WO 
• Version 11.4 before 11.4.2 
• Version 10.2 before 10.2.9c 
• The WANOP feature of SD-WAN Premium Edition is not impacted. 

Appliances have to be set up as a VPN or AAA virtual server to be vulnerable to the initial Citrix ADC and Gateway flaw. In the case of the second bug, appliances must have management interface access to NSIP or SNIP. Customers that use Citrix-managed cloud services will not be impacted.

Citrix releases patch for 11 major vulnerabilities


Citrix Software Inc., a multinational American software company whose products are used by 99% of Fortune 100 companies recently released a patch for 11 vulnerabilities that affect Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO).


Citrix says these 11 vulnerabilities are in no way part of the CVE-2019-19781 remote code execution flaw that they patched in January and do not affect any cloud versions. The software solutions company stated that this patch provides all-out security and advised users to activate the patch to prevent any potential attack and has barriers to defend against attacks.

"There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue" Citrix's CISO Fermin J. Serna said in a statement.

These versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP has the patched vulnerabilities-

  • Citrix ADC and Citrix Gateway 13.0-58.30 and later releases 
  • Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases 
  • Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases 
  • Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases 
  • NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases 
  • Citrix SD-WAN WANOP 11.1.1a and later releases 
  • Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases 
  • Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases 
  • Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions 


It's best to download and install these as soon as possible for their Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances. If the software doesn't show the update then you can check out Citrix's website for the same. 

These vulnerabilities, if not fixed could lead to major exploitation depending on the targeted area- 

Attacks on management interface could result in- 
"System compromise by an unauthenticated user on the management network. • System compromise through Cross-Site Scripting (XSS) on the management interface • Creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer." 

 Attacks on Virtual IP (VIP) could lead to-
"Denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user (the load balancing virtual server is unaffected). • Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices."