Jul 23 2023

Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519)

Category: CISA,Zero daydisc7 @ 9:40 am
Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519)

The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).

“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,” the agency shared in an advisory published on Thursday.

IoCs, IR and mitigation advice

The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.

The security bulletin mentioned that “exploits of CVE-2023-3519 on unmitigated appliances have been observed,” but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.

A list of indicators of compromise (IoCs) had been shared with select organizations, under the understanding that the info would not be widely shared (i.e., that the contents would be restricted to those organization and shared with its clients “on a need-to-know basis”).

“As we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time,” German IT consultant Manuel Winkel said on July 19.

He shared advice on how to check whether one’s organization has been hit, and advised on what to do if the result is positive.

CISA’s advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.

In-the-wild exploitation of CVE-2023-3519

Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections.

Standalone and Nmap scripts for identifying vulnerable installations have been published on GitHub.

If what Winkel says is true – namely, that first exploits for CVE-2023-3519 have been available for purchase on the dark web for a while – it’s possible that there are many compromised organizations out there who didn’t manage to block the attackers’ lateral movement.

It’s currently impossible to say what the attackers’ ultimate goal is, but affected organizations may discover it soon if they don’t react quickly.

UPDATE (July 22, 2023, 10:55 a.m. ET):

Technical analyses of the flaw are now public and threat actors could use them to create a reliable exploit soon. Patch quickly!

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon


InfoSec books | InfoSec tools | InfoSec services

Tags: Citrix ADC, Countdown to Zero Day, CVE-2023-3519, Stuxnet, zero Day

Aug 10 2022

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Category: Malware,Zero dayDISC @ 12:28 pm
Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Microsoft has published a fix for a zero-day bug discovered in 2019 that it originally did not consider a vulnerability.

The tech giant patched CVE-2022-34713 â€“ informally known as “DogWalk” – on Tuesday, noting in its advisory that it has already been exploited.

According to Microsoft, exploitation of the vulnerability requires that a user open a specially-crafted file delivered through a phishing email or web-based attack.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability,” Microsoft explained. â€œAn attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

Later in the advisory, Microsoft said the type of exploit needed is called an “Arbitrary Code Execution,” or ACE, noting that the attacker would need to convince a victim through social engineering to download and open a specially-crafted file from a website which leads to a local attack on their computer. 

A three-year wait

The bug was originally reported to Microsoft by security researcher Imre Rad on December 22, 2019. Even though a case was opened one day later, Rad said in a blog post that Microsoft eventually declined to fix the issue six months later. 

Microsoft initially told Rad that to make use of the attack he described, an attacker would need “to create what amounts to a virus, convince a user to download the virus, and then run it.” The company added that “as written this wouldn’t be considered a vulnerability.” 

“No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already,” Microsoft told Rad. 

But in June, as security researchers dug into the “Follina” vulnerability, cybersecurity expert j00sean took to Twitter to resurface the issue and spotlight it again.  

Rad noted that on August 4, Microsoft contacted him and said they “reassessed the issue” and “determined that this issue meets our criteria for servicing with a security update” tagging it as CVE-2022–34713.

Microsoft said in its advisory that, like Follina, this is yet another vulnerability centered around Microsoft Support Diagnostic Tool (MSDT)

“Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft said this week. 

Microsoft acknowledged but did not respond to requests for comment about why their assessment of the issue changed after three years, but Microsoft security research and engineering lead Johnathan Norman took to Twitter to thank Rad and j00sean for highlighting the issue.

“We finally fixed the #DogWalk vulnerability. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it,” he said. 

Coalfire vice president Andrew Barratt said he has not seen the vulnerability exploited in the wild yet but said it would “be easily delivered using a phishing/rogue link campaign.”

When exploited, the vulnerability places some malware that automatically starts the next time the user reboots/logs into their Windows PC, Barratt explained, noting that while it is not a trivial point-and-click exploit and requires an attachment to be used in an email, it can be delivered via other fileservers – making it an interesting tactic for an insider to leverage.

“The vast majority of these attachments are blocked by Outlook, but various researchers point out that other email clients could see the attachment and launch the Windows troubleshooting tool (which it leverages as part of the exploit),” Barratt said. â€œThe challenge for a lot of anti-malware is that the file leveraged doesn’t look like a traditional piece of malware, but could be leveraged to pull more sophisticated malware on to a target system. It’s an interesting technique but not one that is going to affect the masses. I’d expect this to be leveraged more by someone meeting the profile of an insider threat.”

Bharat Jogi, director of vulnerability and threat research at Qualys, added that Microsoft likely changed its tune related to CVE-2022–34713 because today’s bad actors are growing more sophisticated and creative in their exploits.

Jogi noted that Follina has been recently used by threat actors — like China-linked APT TA413 — in phishing campaigns that have targeted local U.S. and European government personnel, as well as a major Australian telecommunications provider

Source: Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Countdown to Zero Day

Tags: Countdown to Zero Day, DogWalk zero-day

Feb 15 2022

Google fixes a Chrome zero-day flaw actively exploited in attacks

Category: Zero dayDISC @ 10:10 am
Google fixes a Chrome zero-day flaw actively exploited in attacks

Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.

The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and ClĂ©ment Lecigne of Google’s Threat Analysis Group.

“Use after free in Animation. Reported by Adam Weidemann and ClĂ©ment Lecigne of Google’s Threat Analysis Group on 2022-02-10 [$TBD][1285449]” reads the security advisory published by Google. “Google is aware of reports that an exploit for 

CVE-2022-0609
 exists in the wild.”

The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.

Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Tags: Chrome zero-day, Countdown to Zero Day