Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Patch Management. Show all posts

Ransomware Actor Linked to Attacks Against Citrix NetScaler System

 

Unpatched Citrix NetScaler systems are compromised in domain-wide attacks by a threat actor believed to be linked with the FIN8 hacker organisation exploiting the CVE-2023-3519 remote code execution vulnerability. 

Sophos has been keeping an eye on this campaign since the middle of August, and it has learned that the threat actor executes payload injections, using BlueVPS for malware distribution, delivers obfuscated PowerShell scripts, and drops PHP webshells on victim machines. 

The similarities to another operation spotted earlier this summer by Sophos experts have led the analysts to conclude that the two actions are linked, with the threat actor specialising in ransomware attacks. 

CVE-2023-3519 is a critical-severity (CVSS score: 9.8) code injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway that was identified in mid-July 2023 as an actively exploited zero-day. 

The vendor issued security upgrades to address the issue on July 18th. However, there was evidence that fraudsters were allegedly selling an exploit for the bug since at least July 6th, 2023. 

Shadowserver reported finding 640 webshells in an equivalent number of infected Citrix servers on August 2nd, and Fox-IT increased that total to 1,952 two weeks later. 

More than a month after the security upgrade became available in mid-August, approximately 31,000 Citrix NetScaler instances still had CVE-2023-3519 vulnerabilities, offering threat actors plenty of room for attacks. 

A threat actor identified by Sophos X-Ops as "STAC4663" is reportedly exploiting CVE-2023-3519, and the researchers believe that this is a part of the same campaign that Fox-IT previously reported on earlier this month. 

Analysis of the recent attacks' payload, which is injected into "wuauclt.exe" or "wmiprvse.exe," is still ongoing. However, Sophos believes that it is a link in a chain of ransomware attacks based on the attacker's profile. 

According to Sophos, the campaign is possibly linked to the FIN8 hacker gang, which was recently identified as delivering the BlackCat/ALPHV ransomware. This assumption and the link to the previous campaign of the ransomware actor are based on domain discovery, plink, BlueVPS hosting, unique PowerShell scripting, and the PuTTY Secure Copy [pscp]. 

Finally, the attackers employ a C2 IP address (45.66.248[.]189) for malware staging, as well as a second C2 IP address (85.239.53[.]49) that responds to the same C2 software as in the prior campaign. To assist defenders in detecting and stopping the attack, Sophos has published a list of IoCs (indicators of compromise) for this campaign on GitHub.

Three Ways AI-Powered Patch Management is Influencing Cybersecurity's Future

 

Approaches to patch management that aren't data-driven are breaches just waiting to happen. Security teams delay prioritising patch management until a breach occurs, which allows attackers to weaponize CVEs that are several years old.

More contextual knowledge about which CVEs are most vulnerable is now a part of the evolving cyber attacker tradecraft. As a result, unsecured attack surfaces with exploitable memory conflicts are left behind when patch management is done manually or endpoints are overloaded with agents. 

Attackers continue to hone their skills while weaponizing vulnerabilities with cutting-edge methods and tools that can elude detection and undermine manual patch management systems.

Up to 71% of all detections indexed by the CrowdStrike Threat Graph, according to CrowdStrike's 2023 Global Threat Report, are caused by intrusive activities without the use of malware. Security flaws that had not yet been patched were at blame for 47% of breaches. Remediating security vulnerabilities manually is done by 56% of organisations. 

Consider this if you need any additional evidence that relying on manual patching techniques is ineffective: 20% of endpoints are still not up to date on all patches after remediation, making them vulnerable to breaches once more.

A prime example of how AI can be used in cybersecurity is to automate patch management while utilising various datasets and integrating it into an RBVM platform. The most advanced AI-based patch management systems can translate vulnerability assessment telemetry and rank risks according to patch type, system, and endpoint. Nearly every vendor in this sector is advancing AI and machine learning quickly due to risk-based scoring.

When prioritising and automating patching operations, vulnerability risk rating and scoring based on AI and machine learning provide the knowledge security teams need. The following three examples highlight how AI-driven patch management is revolutionising cybersecurity: 

Real time detection 

To overpower endpoint perimeter-based protection, attackers rely on machine-based exploitation of patch vulnerabilities and flaws. Attack patterns are identified and added to the algorithms' knowledge base via supervised machine learning techniques that have been trained on data. As a result of the fact that machine identities now outweigh human identities by a factor of 45, attackers look for vulnerable endpoints, systems, and other assets that are not patched up to date.

In a recent interview, Ivanti's Mukkamala described how he sees patch management evolving into a more automated process with AI copilots supplying more contextual intelligence and forecast accuracy. 

“With more than 160,000 vulnerabilities currently identified, it is no wonder that IT and security professionals overwhelmingly find patching overly complex and time-consuming,” Mukkamala explained. “This is why organizations need to utilize AI solutions … to assist teams in prioritizing, validating and applying patches. The future of security is offloading mundane and repetitive tasks suited for a machine to AI copilots so that IT and security teams can focus on strategic initiatives for the business.” 

Automating remediation decisions 

Machine learning algorithms continuously analyse and learn from telemetry data to increase prediction accuracy and automate remediation decisions. The quick evolution of the Exploit Prediction Scoring System (EPSS) machine learning model, developed with the combined knowledge of 170 professionals, is one of the most exciting aspects of this breakthrough field.

The EPSS is designed to aid security teams in managing the rising tide of software vulnerabilities and spotting the most perilous ones. The model now in its third iteration outperforms earlier iterations by 82%. 

“Remediating vulnerabilities by faster patching is costly and can lead astray the most active threats,” writes Gartner in its report Tracking the Right Vulnerability Management Metrics (client access required). “Remediating vulnerabilities via risk-based patching is more cost-effective and targets the most exploitable, business-critical threats.” 

Contextual understanding of endpoint assets 

Another noteworthy aspect of AI-based patch management innovation is the speed with which providers are enhancing their usage of AI and machine learning to discover, inventory, and patch endpoints that require updates. Each vendor's approach is unique, but they all strive to replace the outmoded, error-prone, manual inventory-based method. Patch management and RBVM platform suppliers are rushing out new updates that improve prediction accuracy and the capacity to determine which endpoints, machines, and systems need to be patched.

Bottom line

The first step is to automate patch management updates. Following that, patch management systems and RBVM platforms are integrated to improve application-level version control and change management. Organisations will acquire more contextual information as supervised and unsupervised machine learning algorithms assist models discover potential abnormalities early and fine-tune their risk-scoring accuracy. Many organisations are still playing catch-up when it comes to patch management. To realise their full potential, organisations must leverage these technologies to manage whole lifecycles.