Newsletters

A Citrix vulnerability has entered the dangerous stage of mass exploitation as multiple threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens.

Known as CitrixBleed and tracked as CVE-2023-4966, the vulnerability impacts Citrix ADC and Citrix NetScaler, which are extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff.

The vulnerability allows threat actors to send junk data to the Citrix OpenID component that will crash and leak a part of the device's memory. The bad part is that, in some cases, this memory may contain session tokens that attackers can collect and then bypass authentication and access the device. For a more technical explanation, check this write-up from Assetnote researchers.

In a blog post this week, researchers with Cisco Talos have formally linked a cyber-espionage group named YoroTrooper to Kazakhstan, making it the first official APT group operating out of the country.

First spotted in the wild in June 2022, the group has followed the pattern of most nascent cyber espionage programs, starting with run-of-the-mill commodity malware and slowly moving to custom capabilities in recent attacks.

Throughout the past year, the group has primarily targeted former Soviet states in what appears to be a classic intelligence collection operation meant to support Kazakhstan's state objectives.

A purported group of pro-Ukrainian cyber activists, the Ukrainian Cyber Alliance, has disrupted an active ransomware gang, known as Trigona, by hacking and deleting the group's servers.

If a group of hacktivists can compromise a ransomware gang, these gangs are certainly susceptible to operations run by better organised and resourced state cyber outfits.

While the hacktivists’ actions will hurt, this is probably a speed hump for Trigona rather than an enduring disruption. The group claims that it will return quickly.

Password management service 1Password has joined the list of companies that have been impacted by a recent security breach at identity provider Okta.

1Password becomes the third company known to be affected by the Okta breach—after BeyondTrust and Cloudflare.

The Okta incident is the second major hack the company disclosed after a January 2022 incident when 366 companies had their Okta environments accessed.

Over the past three days—since our last newsletter edition—the situation around the latest zero-day attacks targeting Cisco IOS XE devices has drastically changed, and we feel the need to cover it in our featured section and provide a short summary of what has been going on.

Although these attacks have been taking place since at least September 28, news of this campaign came out last Monday, on October 16, when Cisco revealed the existence of a zero-day tracked as CVE-2023-20198 in the web administration panel of its IOS XE operating system.

The zero-day allowed threat actors to create an admin account with the highest level of privileges on devices that had their WebUI panel exposed on the internet.

Two ransomware gangs have had their dark web server infrastructure disrupted this week in two extremely different circumstances, with hacktivists wiping the servers of the Trigona gang and law enforcement seizing RagnarLocker's infrastructure a day later.

The first to fall was Trigona, a ransomware operation that began operations in June of last year.

In Facebook and Twitter posts, a group of pro-Ukrainian hacktivists named the Ukrainian Cyber Alliance said they hacked the backend servers supporting Trigona's operations.

CISA and NSA have published a joint advisory on the most common misconfigurations experienced in cases across federal and state governments, the defence industrial base and critical infrastructure operators.

You would expect to see well configured networks at these organisations, but the CISA/NSA advisory says these misconfigurations occurred even in networks with "mature cyber postures". The list is made up of 101-level problems:

The report describes these misconfigurations as "systemic weaknesses across many networks". Given that getting these settings right is 'basic cyber hygiene', these misconfigurations shouldn't exist in an organisation with a mature cyber posture.

A mysterious APT group has compromised secure USB drives used by an Asian country's government to safely store and physically transfer data between sensitive government systems.

Spotted by Kaspersky, the attacks took place in early 2023. While the security firm has not attributed the operation to any particular APT group or state, the campaign is extremely likely to be Chinese in origin. Chinese APT groups—such as Camaro Dragon, Temp.Hex, UNC4191, Mustang Panda, and Troppic Trooper—have used USB drives as a way to distribute malware across the APAC region for the past several years, and some of these campaigns have been recently seen in Africa and Europe as well.

But while previous campaigns targeted your run-of-the-mill USB thumb drives, Kaspersky says this campaign targeted "a specific type of a secure USB drive" used by that country's government agencies.

In the face of an escalating military conflict with Hamas and Hezbollah forces, the Israeli government has asked citizens to secure home security cameras or shut them down completely, fearing the devices could be hacked and used for espionage and intelligence collection.

In a memo on Friday, Israel's National Cyber Directorate has asked camera owners to change their passwords, enable two-factor authentication if present, and enable automatic security updates.

If camera owners can't change any of their settings, officials have urged owners to either cover camera lenses or shut down devices completely.

Microsoft has announced plans to disable support for the NTLM authentication protocol in a future version of Windows 11.

Even if Microsoft has not put out a hard cut-off date, this is good news regardless, as it sets the stage for the protocol to be removed after 30 years of use.

Short for New Technology LAN Manager, the protocol was introduced in 1993 with the release of Windows NT 3.1. It was the primary user authentication protocol until Windows 2000, when it was replaced by Kerberos.