251
1
Approximately 2000 Citrix NetScaler servers were backdoored in a massive campaign
(securityaffairs.com)
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
252
253
254
255
1
CVE-2023-3160: ESET Security Products for Windows Vulnerable to Privilege Escalation Attack
(securityonline.info)
256
257
258
1
Credentials for cybercrime forums found on roughly 120K computers infected with info stealers
(securityaffairs.com)
259
Ivanti Avalanche impacted by critical pre-auth stack buffer overflows
Two stack-based buffer overflows collectively tracked as CVE-2023-32560 impact Ivanti Avalanche, an enterprise mobility management (EMM) solution designed to manage, monitor, and secure a wide range of mobile devices.
The flaws are rated critical (CVSS v3: 9.8) and are remotely exploitable without user authentication, potentially allowing attackers to execute arbitrary code on the target system.
The vulnerability impacts WLAvalancheService.exe version 6.4.0.0 and older, which receives communications over TCP port 1777.
An attacker sending specially crafted data packets containing hex strings (type 3) or a list of decimal strings separated by “;” (type 9) can cause a buffer overflow due to a fixed-size stack-based buffer used to store the converted data.
Code snippet that showcases the buffer overflow vulnerability (Tenable)
Buffer overflow is a type of security problem where a program writes more data to an adjacent memory block (buffer) than it can hold, overwriting those locations and causing program crashes or arbitrary code execution.
Stack-based buffer overflows concern the overwrite of regions allocated on the stack, a memory region that stores the program’s local variables and return addresses, making it possible to direct the program to execute malicious code.
The issues were discovered by Tenable researchers and reported to Ivanti on April 4, 2023, while a proof-of-concept was shared with the vendor on April 13, 2023.
After extending the disclosure window to allow the vendor more time to address the issues, a security update was released on August 3, 2023, with Avalanche version 6.4.1.
Along with CVE-2023-32560, Avalanche version 6.4.1 also fixes CVE-2023-32561, CVE-2023-32562, CVE-2023-32563, CVE-2023-32564, CVE-2023-32565, and CVE-2023-32566, concerning various authentication bypass and remote code execution flaws.
Ivanti software is used in critical systems and settings, so threat actors are constantly looking for critical-severity vulnerabilities that constitute potential gateways for attacks.
Last month, it was revealed that hackers exploited a zero-day authentication bypass vulnerability (CVE-2023-35078) in Ivanti Endpoint Manager Mobile (EPMM) to breach a platform used by twelve ministries of the Norwegian government, accessing potentially sensitive and classified information.
260
1
edX and Drake State Technical and Community College Launch Free Training Program
(www.darkreading.com)
261
262
1
Kaspersky Password Manager Adds 2FA One-Time Password Storage and New Browser Support
(www.darkreading.com)
263
264
265
266
LinkedIn accounts hacked in widespread hijacking campaign
LinkedIn is being targeted in a wave of account hacks resulting in many accounts being locked out for security reasons or ultimately hijacked by attackers.
As reported today by Cyberint, many LinkedIn users have been complaining about the account takeovers or lockouts and an inability to resolve the problems through LinkedIn support.
"Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts," reports Cyberint's researcher Coral Tayar.
"While LinkedIn has not yet issued an official announcement, it appears that their support response time has lengthened, with reports of a high volume of support requests."
A small sample of the numerous user reports on X
(BleepingComputer)
From complaints seen by BleepingComputer on Reddit, Twitter, and the Microsoft forums, LinkedIn support has not been helpful in recovering the breached accounts, with users just getting frustrated by the lack of response.
"My account was hacked 6 days ago. Email was changed in the middle of the night and I had no ability to confirm the change or prevent it," wrote an affected user in Reddit thread about the hacks.
"No response from them anywhere. It's pathetic. I tried reporting my hacked account, going through identity verification, and even DMing them on @linkedinhelp on twitter. No responses anywhere. What a joke of a company.."
Cyberint says there are also signs of a breakout reflected in Google Trends, where search terms about LinkedIn account hack or recovery record an increase of 5,000% over the past few months.
Google Trends indicate atypical activity (BleepingComputer)
The attackers appear to be using leaked credentials or brute-forcing to attempt to take control of a large number of LinkedIn accounts.
For accounts that are appropriately protected by strong passwords and/or two-factor authentication, the multiple takeover attempts resulted in a temporary account lock imposed by the platform as a protection measure.
Owners of these accounts are then prompted to verify ownership by providing additional information and also update their passwords before they're allowed to sign in again.
When the hackers successfully take over poorly protected LinkedIn accounts, they quickly swap the associated email address with one from the "rambler.ru" service.
After that, the hijackers change the account password, preventing the original holders from accessing their accounts. Many of the users also reported that the hackers turned on 2FA after hijacking the account, making the account recovery process even more difficult.
In some cases observed by Cyberint, the attackers demanded a small ransom to give the accounts back to the original owners or outright deleted the accounts without asking for anything.
LinkedIn accounts can be valuable for social engineering, phishing, and job offer scams that sometimes lead to multi-million dollar cyber-heists.
Especially after LinkedIn introduced features that combat fake profiles and inauthentic behavior on the platform, hijacking existing accounts has become much more pragmatic for hackers.
If you maintain a LinkedIn account, now would be a good time to review the security measures you've activated, enable 2FA, and switch to a unique and long password.
BleepingComputer has contacted LinkedIn requesting a comment on the reported situation, but we have not received a response by publication time.
267
Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
A threat actor has compromised close to 2,000 thousand Citrix NetScaler servers in a massive campaign exploiting the critical-severity remote code execution tracked as CVE-2023-3519.
More than 1,200 servers were backdoored before administrators installed the patch for the vulnerability and continue to be compromised because they have not been checked for signs of successful exploitation, the researchers say.
RCE exploited to hack 6% of all vulnerable servers
Security researchers at cybersecurity company Fox-IT (part of the NCC Group) and the Dutch Institute of Vulnerability Disclosure (DIVD) have discovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519.
Although the vulnerability received a patch on July 18, hackers started exploiting it in the wild as a zero-day to execute code without authentication.
On July 21, Cybersecurity and Infrastructure Security Agency (CISA) warned that the vulnerability had been leveraged to breach a critical infrastructure organization in the U.S.
Earlier this month, the non-profit organization The Shadowserver Foundation found that hackers had infected more than 640 Citrix NetScaler servers and planted web shells for remote access and persistence.
Over the past two months, Fox-IT responded to multiple incidents related to CVE-2023-3519 exploitation and discovered servers compromised with several web shells.
Using the details about the backdoors, Fox-IT and DIVD were able to scan the internet for devices that had the web shells installed. Administrators can recognize their scans by checking the Citrix HTTP Access logs for the user-agent: DIVD-2023-00033.
Initially, the scans considered only vulnerable systems but later expanded to Citrix instances that received the update to address CVE-2023-3519.
This revealed 1,952 NetScaler servers backdoored with the same web shells Fox-IT found during the incident response engagements, indicating that the adversary used an automated method to exploit the vulnerability at a large scale.
Distribution of backdoored Citrix NetScaler servers on August 14
source: Fox-IT
In a larger context, the 1,952 backdoored servers represent more than 6% of the 31,127 Citrix NetScaler instances vulnerable to CVE-2023-3519 at a global level when the campaign was active.
Of the discovered compromised servers, Fox-IT says that 1,828 remained backdoored on August 14 and that 1,247 had been patched after the hackers planted the web shells.
Web shell ratio on patched and vulnerable Citrix NetScaler [CVE-2023-3519]
source: Fox-IT
On August 10, Fox-IT and DIVD started to reach out to organizations, either directly or through national CERTs, about compromised NetScaler instances on their network.
Yesterday, the largest number of compromised Citrix NetScaler servers, both patched and unpatched, was in Germany, followed by France and Switzerland.
Top 20 countries with backdoored Citrix NetScaler servers
source: Fox-IT
Fox-IT says that Europe is the most affected, highlighting that of the top 10 affected countries, only two are from a different region of the world.
Another detail the researchers observed is that while Canada, Russia, and the U.S. had thousands of vulnerable NetScaler servers on July 21, they found compromising web shells on almost none of them.
Fox-IT says that the number of affected Citrix NetScaler servers is declining but there are still plenty of compromised instances.
The researchers warn that a patched NetScaler server can still have a backdoor and recommend administrators perform basic triage on their systems.
They provide a Python script that uses the Dissect forensics and incident response toolkit.
Mandiant has also released a scanner that looks for indicators of compromise related to attacks exploiting CVE-2023-3519. The researchers caution, though, that running this bash script twice results in false positives because "certain searches get written into the NetScaler logs whenever the script is run."
268
269
270
271
272
273
Raccoon Stealer malware returns with new stealthier version
Image: Midjourney
The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals.
Raccoon is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors.
The malware steals data from over 60 applications, including login credentials, credit card information, browsing history, cookies, and cryptocurrency wallet accounts.
The project entered a period of uncertainty in October 2022, when its primary author, Mark Sokolovsky, was arrested in the Netherlands, and the FBI took down the then malware-as-a-service's infrastructure.
The Raccoon is back
In a new post to a hacker forum first spotted by VX-Underground, the malware's current authors informed the cybercriminal community that they're back, having spent their time "working tirelessly" to bring them new features that will enrich the user experience.
These new features were implemented after "customer" feedback, requests, and cybercrime trends, aiming to keep the malware in the top tier of the info-stealers market.
Announcement of Raccoon v2.3.0 on hacker forums
Source: @vxunderground
A report by Cyberint says that Raccoon 2.3.0 has introduced several "quality of life" and OpSec improvements that make it easier and safer to use, making it easier to use for less skilled threat actors and less likely for them to be traced by researchers and law enforcement.
First, a new quick search tool in the Raccoon Stealer dashboard allows hackers to easily find specific stolen data and retrieve credentials, documents, or other stolen data from massive datasets.
Raccoon's new search tool
Source: Cyberint
Secondly, the new Raccoon version features a system that counters suspicious activities that might be related to security-assisting bots, like multiple access events generated from the same IP.
In those cases, Raccoon will automatically delete the corresponding records and update all client pads accordingly.
The user can now see the activity profile score of each IP address right from the malware's dashboard, where green, yellow, and red smiley icons indicate the probability of bot activity.
Smileys used for indicating likelihood of bot activity
Source: Cyberint
A third important new feature incorporated as a protective measure against security researchers is a reporting system that detects and blocks IPs used by crawlers and bots that cyber-intelligence firms use to monitor Raccoon's traffic.
Finally, a new Log Stats panel gives users a "quick-glance" overview of their operations, the most successfully targeted regions, the number of breached computers, etc.
New log graphs screen
Source: Cyberint
Information stealers constitute a massive threat to both home users and businesses, as their widespread adoption by the cybercrime community ensures payloads are through a myriad of channels, reaching a a large and diverse audience.
As this type of malware not only steals credentials, but also cookies, it could allow threat actors to use those stolen session cookies to bypass multi-factor authentication and breach corporate networks. Once they establish a foothold on the network, it could lead to a variety of attacks, including data theft, ransomware, BEC scams, and cyber espionage.
To protect against Raccoon Stealer and all infostealers, password managers should be used instead of storing credentials on the browser.
Furthermore, multi-factor authentication should be enabled on all accounts and avoid downloading executables from dubious websites even if redirected there from legitimate sources such as Google Ads, YouTube videos, or Facebook posts.
274
275