Search Results for “Sergiu Gatlan”

December 18, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
New RAT ‘Dacls’ Connected to North Korea’s Lazarus Group Targets Linux Machines

A new Remote Access Trojan (RAT) malware dubbed Dacls connected to North Korea’s Lazarus Group was spotted by researchers at Qihoo 360 Netlab targeting both Windows and Linux machines. While the Lazarus Group is known for targeting Windows and macOS machines, this is the first instance discovered of one of their RATs targeting Linux. The malware is modular, and it is capable of dynamically loading plug-ins remotely on compromised Windows servers, while the Linux version bundles all the plug-ins it needs to function within the bot component. The researchers also found an exploit payload for Atlassian Confluence Server installations vulnerable to attacks against the CVE-2019-3396 RCE bug, which hints at Lazarus using the CVE-2019-3396 vulnerability to spread Dacls malware payloads on unpatched Confluence servers. The research team recommends Confluence users to patch their system as soon as possible to avoid having their servers compromised.

December 21, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Cybercriminals Are Exploiting Star Wars Hype to Steal Victims’ Credit Card Data and Infect Them With Malware

Attackers are actively exploiting the hype around the new Star Wars: The Rise of Skywalker movie as bait to lure potential victims on fake streaming sites and steal their credit card data, researchers at Kaspersky Lab report. Kaspersky said it discovered over 30 fraudulent websites and social media profiles disguised as official movie accounts that supposedly distribute free copies of the latest film in the franchise but collect credit card data under the guise of registering for their portals. They also found 65 malicious files that were camouflaged as copies of the Star Wars: The Rise of Skywalker movie, as well as several profiles on Twitter and other social media platforms disguised as official accounts that distribute free copies of the movie and promote the malicious streaming sites. Instead of getting pirated copies of the film, victims are infected with malware.

Related: TechRepublic, The Register – Security, Kaspersky Lab official blog, Tom’s Guide, ExtremeTech, Techradar, Lifehacker, Threatpost

December 28, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Maastricht University in the Netherlands Hit by Ransomware Attack, All University Systems Taken Down as Precaution

Maastricht University (UM) in the Netherlands announced that almost all of its Windows systems have been encrypted by ransomware following a ransomware attack that took place on Monday, December 23. All the university’s systems have been taken down as a precautionary measure during investigations. It’s not currently clear if scientific data was also accessed or exfiltrated by the attackers during the attack before the systems getting encrypted with the yet unnamed ransomware strain.

Related: iTnews – Security, Cybersecurity Insiders, Maastricht University

Tweets:@gossithedog @CatalinaGoanta

December 30, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
U.S. Coast Guard Facility, Likely a Port, Hit by Ryuk Ransomware, Entire Corporate IT Network Taken Down

The U.S. Coast Guard (USCG) said a Ryuk Ransomware attack took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility. The ransomware, delivered via an emailed phishing link, allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files. Although the USCG didn’t specify what kind of facility was hit, it was likely a port given that the ransomware managed to infiltrate cargo transfer industrial control systems, according to a bulletin issued by the Coast Guard.

January 8, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Now-Patched High Severity Vulnerability in Firefox Has Been Actively Exploited in the Wild, Can Allow Attackers to Execute Code or Trigger Crashes

A type confusion vulnerability tracked as CVE-2019-11707 that impacts Firefox’s onMonkey Just-In-Time (JIT) compiler is an actively exploited high severity vulnerability just patched in Mozilla’s Firefox 72.0.1 and Firefox ESR 68.4.1. The flaw, which can allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions, was reported by a research team from Qihoo 360 ATA. The flaw leads to out-of-bounds memory access in languages without memory safety, which, in some circumstances, can lead to code execution or exploitable crashes.

Related: US-CERT Current Activity, Mozilla, gHacks, Symantec, Threatpost, Security Affairs, Ars Technica, Softpedia News, SecurityWeek, Help Net Security, Forbes, The Hacker News


January 9, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Hackers Are Actively Scanning Citrix Servers Vulnerable to Critical Flaw, Could Lead to Arbitrary Code Execution on 80,000 Networks

Security researchers have observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks exploiting CVE-2019-19781 during the last week. This vulnerability impacts multiple Citrix products, and it could potentially expose the networks of over 80,000 firms to hacking attacks, according to a late-December report by Positive Technologies. The flaw could allow unauthenticated attackers to perform arbitrary code execution via Directory Traversal if successfully exploited. Security researcher Kevin Beaumont who shared the info on active scans, said he’d seen no exploitation of this vulnerability, and no information on an exploit is publicly available so far. Although no firmware patch is yet available, Citrix has released a series of mitigations for the problem.

Related: Reddit – cybersecurity, Reddit – cybersecurity, The State of Security, US-CERT Current Activity, ZDNet

Tweets:@malwrhunterteam @GossiTheDog @jas502n @cyb3rops @0x09AL @RGB_Lights

Reddit – cybersecurity: Citrix NetScaler CVE-2019-19781: What You Need to Know
Reddit – cybersecurity: Citrix NetScaler/ADC Critical Flaw (CVE-2019-19781)
The State of Security: Citrix NetScaler CVE-2019-19781: What You Need to Know
US-CERT Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability
ZDNet: Hackers probe Citrix servers for weakness to remote code execution vulnerability

@malwrhunterteam: Now that people are speaking about CVE-2019-19781, here's a reminder that Citrix has/had different type of problems too:
@GossiTheDog: ? In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue). So this is in the wild, active exploitation starting up. ?
@jas502n: CVE-2019-19781 Citrix path traversal base on vpns folder Example: GET /vpn/../vpns/services.html GET /vpn/../vpns/cfg/smb.conf patch >> HTTP/1.1 403 Forbidden no patch >> HTTP/1.1 200 OK [global] encrypt passwords = yes name resolve order = lmhosts wins host bcast
@cyb3rops: Citrix NetScaler CVE-2019-19781: What You Need to Know "The complete exploit chain requires just two HTTPS requests to achieve command execution." I guess that most orgs will notice the compromise due to a filled up /var partition
@0x09AL: I was able to reproduce the Citrix ADC Remote Command Execution in one day. Guess you need to patch ASAP. #CVE-2019-19781 #Citrix
@RGB_Lights: The Citrix RCE is a doozie. Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk. Get this patched.

January 10, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Google Has Removed From Play Store Around 1,700 Applications Infected With Joker Android Malware Since Early 2017

Around 1,700 applications infected with the Joker Android malware (also known as Bread) have been detected and removed by Google’s Play Protect from the Play Store since the company started tracking it in early 2017, the company said. The malware infiltrates the store through sheer volume, Google researchers say, with up to 23 different apps from this family submitted to Play in one day. The apps were initially designed by Joker’s creators to perform SMS fraud but have moved to another type of mobile billing fraud dubbed toll fraud, which tricks victims into subscribing to or purchasing various types of content via their mobile phone bill.

Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Albany Airport Paid ‘Under Six Figures’ to Sodinokibi Ransomware Attackers After Malware Infected Backups, Managed Service Provider Fired and Forced to Pay $25,000 Insurance Deductible

Albany International Airport’s administrative servers were hit by Sodinokibi Ransomware, also known as REvil, following a cyberattack that took place over Christmas. Airport operations were not affected by the attack, and the attackers did not access customers’ financial or personal information, nor were airline or TSA servers affected. The Albany County Airport Authority alerted the FBI and the New York State Cyber Command as soon as the attack was discovered, and also hired the services of ABS Solutions to help with the investigation. The attackers were able to infiltrate the New York airport’s systems through the maintenance server of its managed service provider (MSP) Logical Net, a Schenectady, NY-based data center services, and hosted cloud solutions provider. The airport said it had severed its relationship with Logical Net. Because the ransomware also reached the back-up system, the airport paid what it called “under six-figure” in ransom to get its files back. The airport’s insurer paid the ransom amount with the $25,000 deductible paid by Logical Net.

January 20, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Citrix Issues Fixes for Actively Exploited Flaw Affecting ADC, Gateway and SD-WAN Appliances

Citrix released permanent fixes for the actively exploited CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances and allowing unauthenticated attackers to perform arbitrary code execution. In addition to releasing these permanent fixes for the CVE-2019-19781 flaw, Citrix also says that it has fast-forwarded the “availability of permanent fixes for other ADC versions and for SD-WAN WANOP. Citrix advises all customers to apply mitigation measures to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 appliances until a permanent fix will be available.

Related: The Register – Security, Citrix, The Hacker News, Security – Computing, Graham Cluley, Security Affairs, Infosecurity Magazine, IT World Canada, Tweets Influencers, Sec.Today, SecurityWeek

Tweets:@citrix @Swati_THN @SecShoggoth @GossiTheDog

The Register: ‘Friendly’ hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
Citrix: Vulnerability Update: First permanent fixes available, timeline accelerated
The Hacker News: Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack
Security – Computing: Citrix releases permanent fixes for CVE-2019-19781 security flaw in Citrix ADC 11.1 and 12
Graham Cluley: Good news. Citrix delivers first patches to mop up Shitrix flaw that is being actively exploited
Security Affairs: Citrix releases permanent fixes for CVE-2019-19781 flaw in ADC 11.1 and 12.0
Infosecurity Magazine: Citrix Patches ADC Bug as Attacker Hoards Access
IT World Canada: Citrix starts releasing permanent fixes for critical controller vulnerability
Sec.Today: 404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
SecurityWeek: Citrix Releases First Patches for Critical ADC Vulnerability

@citrix: Important updates on the #CitrixADC, Citrix Gateway vulnerability: (1) Permanent fixes for ADC v11.1 & 12. (2) We have moved forward the availability of permanent fixes for other ADC versions & SD-WAN WANOP from previous target dates. #CVE201919781
@Swati_THN: A month after disclosing existence of a critical RCE vulnerability (CVE-2019-19781) in #Citrix ADC & Gateway software—also under active ATTACKS—the company finally today released the 1st batch of security patches for versions 11.1 & 12.0 Read ? #infosec
@SecShoggoth: Got hit with a new backdoor on the @TrustedSec #Citrix #netscaler CVE-2019-19781 honeypot last night. Its a DDoS bot that comms over...IRC ? Watch out for conns to and files named /tmp/.perl
@GossiTheDog: The top thirty most scanned URLs today are almost all Citrix Gateway related. If you haven't patched or mitigated your devices, you're likely in deep doo doo.

January 21, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Children’s Apparel Maker Hanna Andersson Was Victim of Magecart Payment Card Data-Stealing Malware for Almost Two Months, Infection Came Through Salesforce Commerce Cloud Platform

US children’s apparel maker and online retailer Hanna Andersson disclosed that its online purchasing platform was hacked in a credit card data-stealing Magecart malware attack and stole customers’ payment information for almost two months. Hanna Andersson sent an email notification to customers saying that law enforcement was notified on December 5, 2019, that “credit cards used on its website were available for purchase on a dark web site.” Investigators determined that Hanna Andersson’s “third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process.” The earliest data of compromise, according to investigators, was September 16, 2019, and the malware was removed on November 11, 2019.