Posts

Exploits in the Wild for Citrix ADC and Citrix Gateway Vulnerability CVE-2019-19781

OVERVIEW
In December of 2019, the details of a critical vulnerability affecting certain versions of Citrix Application Delivery Controller (formerly known as NetScaler ADC) and Citrix Gateway servers were publicly disclosed.

The Proficio Threat Intelligence Team posted information about the vulnerability and its exploits in our Twitter Feed and issued a security advisory to our clients. In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed in the wild as well as information that we have previously included within our advisory.

VULNERABILITY DETAILS
Citrix’s disclosed a significant amount of information regarding the CVE-2019-19781 vulnerability and exploit on publicly accessible channels. The details provided in their public release makes it easy for any potential attackers to recreate the exploit discovered.

The vulnerability is centered around a vulnerable parameter that allows for directory traversals due to the improper handling of the pathname. Attackers can exploit this vulnerability through crafted directory traversal requests to access sensitive files, create crafted XML files in the vulnerable server, and execute malicious code within those XML files without any authentication, effectively allowing for remote code execution.

This vulnerability is particularly serious because it allows an attacker to effectively obtain remote code execution capabilities on vulnerable devices. The exploit does not require access or knowledge regarding any user accounts and can be performed by any attacker. This makes this attack suitable for automation and mass-scanning, and we have indeed observed increased volumes of such automated attempts and attacks.

There have also been reports of attackers leveraging the exploit of the vulnerability to install malware and backdoors on vulnerable systems, preventing other attackers from exploiting and gaining access to the same system.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected a significant number of different IOCs and IOAs to identify potential exploit attempts. The IOCs and IOAs also include malware activity associated with successful exploit attempts against CVE-2019-19781.

We used reverse-engineering and contextualization techniques to research this vulnerability. By removing non-viable indicators that cannot be used for reliable detection or discovery, we were able to isolate high quality, useful and reliable threat indicators. This is particularly important given the limited visibility allowed for an MDRP/MSSP like Proficio.

Our detection and discovery efforts allowed us to identify a significant number of potentially successful exploit attempts against the vulnerable Citrix systems. This in turn allowed us to drive additional data collection efforts that served as a starting point for more deep-dive investigations for every potentially successful exploit attempt. 

NOTABLE CONCLUSIONS

  1. Patching CVE-2019-19781 does not remove malicious artefacts left by successful exploits.

We have encountered several situations in which we were able to identify malicious post-exploit activity after successful exploit attempts against CVE-2019-19781, even though the vulnerability appears to have been patched. Identifying such activity after the patch is not necessarily an indication that the patch has failed, but a possible indication that malicious artefacts were already left behind by a successful exploit attempt prior to the patch being applied.

Organizations should note that compromised systems cannot be remediated by applying patches that were released to fix the vulnerability. Organizations will need to assess vulnerable systems to identify if any malicious artefacts remain from successful exploit attempts. Rebuilding the exploited system after the patch may be the only way to conclusively remove malicious artefacts from affected systems.

  1. Not all successful exploit attempts were accompanied by post-exploit activity.

The exploits against CVE-2019-19781 are particularly suited for automation, and we have observed a significant increase in automated attacks and mass-scanning activities. Our investigation efforts have shown that in some cases, while we were able to identify that a successful exploit attempt is likely to have taken place, we were not able to identify any kind of post-exploit or suspicious activity from the vulnerable system that could have indicated live threat actor activity beyond automated scanning. Of course, this is no reason for complacency. Vulnerable systems should be patched and assessed as quickly as possible, especially if a successful exploit attempt against CVE-2019-19781 was observed. This assessment is required to positively identify the presence of any malicious artefacts on the vulnerable system. Should any be found, rebuilding the vulnerable system may be the only way to quickly and completely remove them from the affected system.

  1. Security devices at the perimeter are the most useful log source for identifying and investigating successful exploits against CVE-2019-19781.

Having identified and investigated more than a dozen successful exploit attempts against CVE-2019-19781, it is interesting to note that the most useful logs for the investigations came from classic security devices like next-generation firewalls (NGFW) and intrusion detection/prevention systems (IDPS). Logs from such devices played a key role in all our deep-dive investigations and in some cases, happened to also be the only log sources with the requisite visibility for detection, discovery and investigation.

It is also interesting to note that logs from Citrix Netscalers were not particularly useful for the detection, discovery and investigation of exploit attempts against CVE-2019-19781. Of all the incidents in which we were able to positively identify the successful exploit attempts against vulnerable Citrix devices, we only made use of Citrix Netscaler logs in 7.6% of our investigations. Most of the logs that we were working with came from NGFWs and IDPS devices. Organizations affected by CVE-2019-19781 should review their logging configurations to ensure that the log events generated by their devices can be used for detection and discovery efforts. The last thing an organization wants is to realize that their current logging is not usable for the detection and discovery when there is a critical need to do so.

  1. Not all IOCs are created equal – some IOCs are more useful than others.

We made use of a wide range of different IOCs that went through our qualification process. While we are confident in our selection of relevant IOCs, they did not play equal roles when it comes to our detection and discovery efforts. The following IOCs that have proven to be the most relevant and prevalent when it comes to performing deep-dive investigations:

  • /ci.sh
    The filename references an installation script payload for a cryptocurrency miner. The payload creates a download loop for itself as a way to stage a backdoor for later while using cron jobs for persistence.
    Reference
  • 95[.]179[.]163[.]186
    This IP address is known to used to download exploit payloads against CVE-2019-19781. One such payload would be the NOTROBIN malware. The IP address used to point towards the domain (vilarunners[dot]cat).
    Reference
  • 185[.]178[.]45[.]221
    This IP address was used to host the file (ci.sh). Refer to the details on the IOC (ci.sh)
  • 62[.]113[.]112[.]33
    This IP address was also used to host the file (ci.sh). Refer to the details on the IOC (ci.sh)
  • 45[.]120[.]53[.]214
    Attackers are known to execute a curl command on successfully exploited systems in order to download a malicious shell script from this IP address onto a successfully exploited system.
    Reference

Even with the multitude of detection and discovery methodologies, the best way to deal with a known serious vulnerability is to patch the vulnerability when the patch becomes available. Since the initial disclosure of the vulnerability, Citrix has released patch updates for the impacted versions. After applying the patch fixes by Citrix, affected clients should also make use of the Verification Tool they provide to verify that the mitigation steps and patch fixes are applied correctly. Should the patch fixes provided by Citrix not be a suitable solution, the mitigation steps provided by Citrix alongside the vulnerability disclosure should be followed. Your cybersecurity team should closely follows vendor recommended best practices to ensure you’re patching known vulnerabilities as soon as possible.

The Vulnerability Remediation Challenge and Patch Tuesday

For the past twelve years, Microsoft’s Patch Tuesday has been a monthly reminder of the challenges with vulnerability remediation. For IT and security teams, Patch Tuesday means it’s time to assess another batch of security updates and decide which ones to deploy and when, and which ones to either defer, indefinitely or at least temporarily. Microsoft’s steady stream of updates, combined with those from other enterprise vendors, is enough to keep IT teams very busy. And then there’s the periodic “BIG ONE’s” such as Heartbleed, Shellshock, or Poodle that have widespread impact (more work) and invite intensive executive-level interest (more oversight) in the vulnerability remediation process.

As quickly as IT and security operators familiarize themselves with new vulnerabilities and updates, so do cybercriminals— as means of creating, trading, or renting exploits. And with profit as motivation, cybercriminals are at least as attentive as IT staffs, if not more so. While these bad actors have access to easily deployed exploits and can choose their targets, every organization is facing tighter budgets and a growing numbers of devices and applications. In this cyberwar, the cybercriminals are better equipped for their mission than the defenders inside the organization.

While very informative, the details accompanying vulnerability scans can also be overwhelming for many organizations. The IT staff may have plenty of data on vulnerabilities and on the remediation alternatives for them, but there’s so much information it’s difficult for many IT staffers to know where to begin. Do you start with:

  • High severity vulnerabilities?
  • Vulnerabilities that affect the key run-the-business systems?
  • Vulnerabilities that are getting the most attention in the form of exploits?

What’s Important?
The answer isn’t that simple. Your priority is not to remediate every vulnerability. It’s to manage the risk posed by the vulnerabilities, which means knowing which assets in your infrastructure are most valuable to the business. With the perspective of asset value, you can then focus on which vulnerabilities to assess. In most organizations, the analysis process is manual. This requires people to be knowledgeable about how their networks, servers and applications are configured.

Next….
Once you know which vulnerabilities matter, you still have to decide what to do. For example

  • Some vulnerabilities are effectively non-exploitable — the host systems or applications are sufficiently protected with compensating controls that the chances of an exploit being successful is close to zero.
  • Some vulnerabilities are resident because the application or server includes older versions of software —if upgraded, this will break the application or service.
  • Some vulnerabilities impact systems or applications that are so critical to running the business that you cannot risk any action that could disrupt the system or application

Adding It All Up: It’s Time-Consuming
Working through all of the above analysis just to get to a point where you actually perform the remediation takes a lot of time. Time you probably need to devote to other activities. Time you definitely can’t make up. NopSec recently released the results of study, (below) which we’ve excerpted a table. . The key take-away — many organizations take a lot of time to remediate vulnerabilities; 176 days in the case of Financial firms. That’s a really long window of exposure for any organization!

Source: Nopsec, 2015

We’ve heard about this problem from a lot of companies we talk to and we know the effort that’s required in our own operations to address vulnerabilities. That’s why we created a service to address this problem for our customers. Please check it out and let us know if you think we’re on target – or off. Oh – and Patch Tuesday…? Microsoft has been less than clear on whether this will continue or morph to something less regular. Let’s hope for us all that they will continue to help us keep the important information safe.

VULNERABILITY – OFFICE 365 ZWSP DETECTION

Earlier this month, security researchers at Avanan discovered a new zero-width space (ZWSP) vulnerability that was confirmed to have affected Office 365 environments between November 10th, 2018 until January 9th, 2019. ZWSP strings are non-printing Unicode characters normally used to do benign things, such as for enabling line wrapping in long words. However, with this vulnerability attackers used ZWSP strings such as ​ to break up malicious URLs in order to avoid detection by security measures. In the case of Office 365, this technique allowed malicious URLs to completely bypass the security checks of both Office 365 EOP and Office 365 ATP.

Normally, Office 365 security checks would have successfully examined and detected a malicious URL string sent to a user via email. Subsequently, any user clicking a malicious embedded link would be redirected to a red Microsoft security splash page alerting the user to the potential risks of proceeding to the associated webpage. However, by using the ZWSP vulnerability a user would be able to open the raw HTML of an email and then modify a malicious URL such as “www.verybadstuff.com” to become “www​.verybadstuff​.com”, completely bypassing the Office 365 security checks.

While this vulnerability has since been fixed by Microsoft, Avanan reported over 90% of their client base had been hit with attempted phishing emails that utilized this vulnerability. Moving forward we expect to see similar vulnerabilities to bypass security filters for URLs. Nonetheless, we were impressed with the relative ease of executing this particular vulnerability. Below we have listed some steps to help safeguard your users.

Proficio Threat Intelligence Recommendations:

  • Regularly conduct phishing awareness training.
  • Perform checks for this vulnerability when performing internal audits.
  • Ensure Microsoft systems have been updated with the latest patches.

Avanan Security Blog – Click Here

Vulnerability Demo Video – Click Here

VULNERABILITY – IE ZERO DAY FLAW (CVE-2018-8653)

In the second half of December 2018, a new IE Zero Day named “CVE-2018-8653” was discovered. According to Microsoft, the vulnerability errors when the “scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” This means that an attacker successfully attacking a machine vulnerable to this flaw, would obtain the same rights as the exploited user. If the victim is an administrator, then an attacker could take full control of the affected system and perform further exploitation activity by modifying data; installing new software; or creating additional user accounts for future access.

But how could this vulnerability be exploited? The easiest way would be for an attacker to host a specially crafted website that takes advantage of the flaw when browsed to through Internet Explorer. In this scenario, there are a number of techniques an attacker can use in order to trick their victims into accessing a malicious website, the most common one being phishing emails with links to such site. According to Cylance researchers, the CVE-2018-8653 “utilizes a use-after-free (UAF) to gain arbitrary code execution within the context of jscript.dll by masquerading as a fake RegExpObj.” Use After Free represents an attempt to access heap memory that was previously allocated and then freed, mostly resulting in program crashing and the execution of arbitrary code. This type of attack bypasses traditional exploit techniques and instead creates a new call stack to the real stack. Then changes to memory permissions of the heap occur where shell-code is stored and then executed, therefore giving an attacker full control of the system.

In an effort to mitigate malicious attacks, Microsoft released an out-of-band patch ahead of the January 2019 update. The vulnerability affected versions of Internet Explorer 9 on Windows Server 2008; IE 10 on Windows Server 2012, and IE 11 for Windows 7-10 as well as Windows Server 2012, 2016 and 2019. At this time, Microsoft has not presented any details about attacks that have possibly already taken place or the potential associated damage/losses that have occurred. The update to patch this vulnerability was released on December 19th.

Proficio Threat Intelligence Recommendations:

  • Maintain all software up to date with the latest patches.
  • Refrain from operating with administrative privileges while performing standard work activities.
  • Conduct training on social engineering techniques in order to mitigate the risk of phishing attacks among employees.

Microsoft Report – Click Here

Cylance Report – Click Here

VULNERABILITY – NEW APPLE iOS 12 SCREEN BYPASS DISCOVERED

It didn’t take long until a new lock screen flow was found for the new Apple’s iOS 12, released on 17 September 2018. Spanish researcher Jose Rodriguez published a YouTube video in Spanish language detailing the steps of the quite complex passcode bypass. An English-speaking version of the same video was subsequently published on YouTube.

According to the video, the attacker would need to exploit Siri, which would ave to be enabled, to access the phone’s contacts, numbers, emails and photos. It goes without saying that the Face ID functionality must be either inactivated or physically obfuscated. The process is not an easy one as it requires the offender to have physical access to the Apple device as well as a total of 37 steps to eventually gain access to the stored pictures.

This is the third time the same researcher exposed Apple’s security flaws. The latest bypass appears to work on all Apple devices running iOS 12 (and the iOS 12.1 beta), including the new XS.

Proficio Threat Intelligence Recommendations:

  • The bypass can be mitigated by disabling the Siri’s lock screen access via Settings > Face ID and Passcode or Settings > Touch ID and Passcode > disable “Allow access when locked”


General Information – Click Here

VULNERABILITY – New critical vulnerability impacting Apache Struts

A new Apache Struts remote code execution vulnerability dubbed CVE-2018-11776 was recently discovered by security researchers. The root cause of the flow was identified in the lack of input validation on the URL passed to the Struts framework affecting all versions of Struts 2.

The criticality of the CVE-2018-11776 resides in the depth of its operational level. As a matter of fact, it affects the Struts code running not only on a single functional area but across all libraries used by the web application framework. Following the discovery, the Apache Software Foundation released the patch and urged all users of Struts 2.3 and Struts 2.5 to upgrade to the latest versions. Shortly after the patch was released on August 22nd, a proof-of-concept was posted on Github with a Python script that eases exploitation.

Proficio Threat Intelligence Recommendations:

  • Users of Apache Struts are urged to update their Struts framework to its latest version. More technical details and guidelines can be found in the advisory released by the Apache Software Foundation, available at: here.


General Information – Click Here

VULNERABILITY – Symfony Component Vulnerability Impacting Drupal

In April of this year, attackers began exploiting two critical vulnerabilities in Drupal, a common open source website content-management system. The vulnerabilities were dubbed Drupalgeddon2 (CVE-2018-7600) and Drupalgeddon3 (CVE-2018-7602). This month, a new flaw was recently discovered in Drupal, this time residing in Symfony HttpFoundation, a component of a third party library used in Drupal Core. CVE-2018-14773, which is how it is the new CVE assigned for this bug, was found to be affecting Drupal 8.x versions before 8.5.6.

Symfony released an advisory, explaining how the flaw originates from the component’s support for legacy IIS header. As a trigger, a remote attacker would have just to employ specially crafted “X-Original-URL” or an “X-Rewrite-URL” HTTP request header. This would allow to override the path in the request URL, thus accessing a different URL which leads to restrictions’ bypass.

According to the advisory the vulnerability was patched in the versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 of the Symfony HttpFoundation component, while Drupal has also fixed the issue in the 8.5.6 version.

The Drupal team also warned of a similar vulnerability affecting the Zend Feed and Diactoros libraries included in Drupal Core, dubbed ‘URL Rewrite vulnerability’. However, Drupal confirmed they do not use the vulnerable functionality, but still recommends to fix it on sites and modules directly utilizing either library.

Proficio Threat Intelligence Recommendations:

  • Update your vulnerable site with the latest patch, available at symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers or drupal.org/SA-CORE-2018-005
  • Administrators of websites using the Zend Feed or Diactoros directly are advised to patch the ‘URL Rewrite vulnerability’, by reading the Zend Framework security advisory available at framework.zend.com/security/advisory/ZF2018-01

General Information – Click Here

VULNERABILITY: New Bluetooth Hack Affects Millions of Devices from Major Vendors

A bluetooth vulnerability tracked as CVE-2018-5383 has been found affecting bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange. The vulnerability affects firmwares or operating system software drivers from major vendors like Apple, Broadcom, Intel and Qualcomm while the implication of the bug on Google, Android and Linux are still unknown. Microsoft products are not vulnerable.

The vulnerability is related to two Bluetooth features – BR/EDR implementations of Secure Simple Pairing in device firmware and Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software.

Apple and Intel have already released patches for this security vulnerability while Broadcom chip makers claims to have already made fixes available to its OEM customers who are now responsible for providing them to the end-users for products supporting Bluetooth 2.1 or newer technology and Qualcomm has not released any statement regarding the vulnerability.

“Currently there are no evidence of the bug being exploited maliciously and it is not aware of any devices implementing the attack being developed, including the researchers who identified the vulnerability” – Mentioned by Bluetooth SIG. It should also be noted that in order to carry out an attack, the attacker would have to be in range of both of the targeted devices during the pairing process and both devices would need to be vulnerable to the attack.

Proficio Threat Intelligence Recommendations:

  • Check with Device Vendor for availability of updates for software and firmware updates
  • Ensure that the all software and firmware are updated to the latest version

General Information – Click Here

Vulnerability: Zero-Day Flash Flaw

June 7, 2018 – Security Firm Qihoo 360 identified a brand new zero-day flaw in Adobe Flash that could leave users vulnerable to executing malicious software without permission.
Attackers have been able to gain access to victim’s devices by sending emails that contain exploited Flash content that has been disguised as a Microsoft Office document. Victims download the document not realizing that it contains a malicious SWF file that’s connected to a remote server. At this time attackers appear to be only targeting organizations located in the Middle East.

Tracking the flaw – (CVE-2018-5002 ) – Adobe has issued an advisory summarizing and providing patches for the vulnerability across all OS for Adobe Flash Desktop Runtime and Chrome/Edge/IE browser plugins. The versions of Flash that are vulnerable to this zero-day are versions 29.0.0.171 and earlier. Adobe has recently released a new flash update (version 30.0.0.113) that patches the vulnerability.

The Proficio Threat Intelligence Recommendations:

  • Immediately ensure that Adobe Flash is updated to the latest version.
  • Require permission each and every time Flash content attempts to run.

General Info – Click Here

Vulnerability: Google Chrome Browser – CVE-2018-6148: Incorrect handling of CSP header

On May 23rd, a security researcher reported a vulnerability in the Chrome Desktop Browser (Pre-Version 67.0.3396.79) that allows for the mishandling of the Content Security Policy (CSP) header. The CSP header allows website developers to implement a 2nd layer of security on their websites to prevent possible malicious activity. The vulnerability bypasses the SECURITY_CHECK in Chrome, allowing possible cross-site scripting, clickjacking, and varying types of code injection attacks against vulnerable users browsing affected websites.

Chrome released a patch on June 05 fixing the vulnerability and raising the version to 67.0.3396.79. Chrome has reserved CVE-2018-6148 for the vulnerability but is restricting details surrounding the bug until the majority of Chrome users have been updated to prevent threat actors from exploiting the vulnerability.

The Proficio Threat Intelligence Recommendations:

  • Update Chrome to the latest version
  • Always make sure to stay up to date on application updates and security patches

Patch Release Page – Click Here
General Info – Click Here