Nov 25 2023
Jul 23 2023
The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).
âIn June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organizationâs non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victimâs active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,â the agency shared in an advisory published on Thursday.
The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.
The security bulletin mentioned that âexploits of CVE-2023-3519 on unmitigated appliances have been observed,â but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.
A list of indicators of compromise (IoCs) had been shared with select organizations, under the understanding that the info would not be widely shared (i.e., that the contents would be restricted to those organization and shared with its clients âon a need-to-know basisâ).
âAs we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time,â German IT consultant Manuel Winkel said on July 19.
He shared advice on how to check whether oneâs organization has been hit, and advised on what to do if the result is positive.
CISAâs advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.
Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections.
Standalone and Nmap scripts for identifying vulnerable installations have been published on GitHub.
If what Winkel says is true â namely, that first exploits for CVE-2023-3519 have been available for purchase on the dark web for a while â itâs possible that there are many compromised organizations out there who didnât manage to block the attackersâ lateral movement.
Itâs currently impossible to say what the attackersâ ultimate goal is, but affected organizations may discover it soon if they donât react quickly.
UPDATE (July 22, 2023, 10:55 a.m. ET):
Technical analyses of the flaw are now public and threat actors could use them to create a reliable exploit soon. Patch quickly!
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
InfoSec books | InfoSec tools | InfoSec services
Nov 12 2021
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
The attack was discovered in late August, the nature of the targets and the level of sophistication of the attack suggests the involvement of a China-linked threat actor.
âTo protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.â reads the analysis published by Google. âAs is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.â
Jul 15 2021
Countdown to #ZeroDay: #Stuxnet and the Launch of the World’s First #DigitalWeapon
Apr 13 2021
Whatâs the craic? Aunty Beebâs anonymous scribblers sit back and wonder whyââIran says key Natanz nuclear facility hit by sabotageâ:
âThe countryâs top nuclear officialââŠâAli Akbar Salehi, did not say who was to blame for the âterrorist actâ, which caused a power failureââŠâa day after it unveiled new uranium enrichment equipment. ⊠Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack.
âŠ
On Saturday, Iranâs President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. ⊠It represented another breach of the countryâs undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it.
âŠ
Later state TV read out a statement byââŠâAtomic Energy Organisation of Iran (AEOI)ââŠâhead Ali Akbar Salehi, in which he described the incident as âsabotageâ and ânuclear terrorism.â ⊠Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.
Thorn in my side? Ronen Bergman, Rick Gladstone, Farnaz Fassihi, David E. Sanger, Eric Schmitt, Lara Jakes, Gerry Mullany and Patrick Kingsley tag-team thuswiseââBlackout Hits Iran Nuclear Site in What Appears to Be Israeli Sabotageâ:
â[The] power failureââŠâappeared to have been caused by a deliberately planned explosion. ⊠American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed theââŠâpower system that supplies the underground centrifuges.
âŠ
The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iranâs ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss.
âŠ
The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iranâs nuclear program. The best-known operation under this collaborationââŠâwas a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.
Source: Son of Stuxnet? Iran Nuke Site Hacked âby Israelâ (Again)
Apr 11 2021
Googleâs Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by âWestern government operatives actively conducting a counterterrorism operationâ:
The exploits, which went back to early 2020 and used never-before-seen techniques, were âwatering holeâ attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.
The Stuxnet virus cyber-attack launched by the U.S. and Israel unleashed malware with unforeseen consequences. Delve deep into the burgeoning world of digital warfare in this documentary thriller from Academy AwardÂź winning filmmaker Alex Gibney.
Apr 21 2019
Stuxnet Malware Analysis By Amr Thabet
