All these attacks are taking place, hackers are scanning the internet for Citrix appliances which were unpatched for the CVE-2019-19781 [1] vulnerability. Vulnerable devices include the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP. The vulnerability was disclosed in mid-December; however, internet-wide attacks began after January 11, when proof-of-concept exploit code was published online and became broadly available to anyone.
Citrix released the final permanent fix for the actively exploited CVE-2019-19781 vulnerability, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

The CyberSecOp team has identified attacks scanning multiple client Citrix gateway to take advantage of vulnerabilities in Citrix gateway applications.

Timeline
On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0.
On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances.
On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0.
On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.
A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]
The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.
Timeline of Specific Events

• December 17, 2019 – Citrix released Security Bulletin CTX267027 with mitigations steps.

• January 8, 2020 – The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, and CISA releases a Current Activity entry.

• January 10, 2020 – The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.

• January 11, 2020 – Citrix released blog post on CVE-2019-19781 with timeline for fixes.

• January 13, 2020 – CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. 

• January 16, 2020 – Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.

• January 19, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.

• January 22, 2020 – Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.]

• January 22, 2020 – Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.

• January 23, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.

• January 24, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.

Technical Details

Impact

On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:

• Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds

• Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15

• Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13

• Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 12.1.55.18

• Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 13.0.47.24

• Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).

What Customers Should Do
Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new fixes are available.
The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: CTX267679 - Mitigation steps for CVE-2019-19781
Upon application of the mitigation steps, customers may then verify correctness using the tool published here: CTX269180 - CVE-2019-19781 – Verification Tool
Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule. The fixed builds can be downloaded from https://www.citrix.com/downloads/citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/
 
 If you would like to learn more about CVE-2019-19781 vulnerability & risk mitigation, please contact CyberSecOp at the following support@cybersecop.com 

The National Security Agency recently discover a vulnerability in Microsoft’s Windows 10 Operating System, NSA worked with Microsoft to issue patches and publicly raise awareness instead of using the flaw for its intelligence gathering.

On January 14, Microsoft released a set of patches for the Windows platform. While all of the issues addressed in the patch release are serious, this article will discuss one of them: CVE-2020-0601. Above anything else, we urge everyone to take action and patch their systems.

(CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. The exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples, where validation of trust may be impacted, include:

• HTTPS connections

• Signed files and emails

• Signed executable code launched as user-mode processes

Vulnerability

CVE-2020-0601 is a serious vulnerability because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them. 

Microsoft explanation of the vulnerability

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

Microsoft Windows Crypto API fails to properly validate certificates, which may allow an attacker to spoof the validity of certificate chains. This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the Internet operates.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

Mitigation Actions

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services. Examples include:

• Windows-based web appliances, web servers, or proxies that perform TLS validation.

• Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).

Prioritization should also be given to endpoints that have a high risk of exploitation. Examples include:

• Endpoints directly exposed to the internet.

• Endpoints regularly used by privileged users.

 Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised. Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints. Other actions can be taken to protect endpoints in addition to installing patches. Network devices and endpoint logging features may prevent or detect some methods of exploitation, but installing all patches is the most effective mitigation.

Cyber Attack Bulleting

1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.                   

The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyber attacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.

2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.                 According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.    

3) Traditional perimeter-based security is not enough for cyberattacks.
According to CyberSecOp Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.

4. There is a cyber attack every 39 seconds.
 By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.

Ransomware is a type of malware that stops users from accessing their data until a ransomware payment is arranged. The money is usually paid in cryptocurrencies to avoid any kind of detection. Ransomware criminals trick you into clicking on infected links. They usually do this by copying the general look of an email to mask their nefarious intentions. Organizations interviewed by CyberSecOp say they experience data loss and major downtime as the result of a ransomware attack. Both of these outcomes are extremely costly for a business, especially larger ones with hundreds of employees. Significant downtime can result in millions of dollars of lost revenue and decreased consumer trust.

Cybercriminals Career Path is Ransomware

If you were considering becoming a cybercriminal or were perhaps a traditional villain looking to upgrade your skills for the 21st century, I’m sure your business model of choice would be running a ransomware operation. You would, thanks to the simplicity of platforms like Ransomware as a Service and the willingness of victims to pay ransomware fees.

The reason why Ransomware most common attack vector

The main reason for the runaway success of ransomware as a malware attack vector is its effectiveness and ability to generate money for cybercriminals. Anonymous payment services like Bitcoin make ransomware payment simple for victims and risk-free for the ransomware owners. Companies are even starting to keep a Bitcoin ransom ready if they are affected and cannot recover from the attack.

Ransomware big newsmakers

The biggest news-maker for 2019 is the Baltimore City government. The city’s computer system was hit with a ransomware infection in May 2019 that kept the city’s government crippled for over a month. Estimates put the cost to recover at over 18 million dollars, although the cybercriminal behind the ransomware only demanded $76,000 worth of Bitcoin. The attack reportedly impacted vaccine production, ATMs, airports, and hospitals. Just about a year earlier, the Atlanta city government spent over $17 million to recover from a ransomware attack that demanded $52,000 in Bitcoin.

The big tech giants are getting hit by ransomware too

Popular software as a service (SaaS) applications are being targeted by ransomware too. A study involving several multiple service providers found that Dropbox, Office 365, G Suite, Azure, and Amazon Web Services have experienced ransomware attacks in some form.

Ransomware Demand cost increases

At the same time, the average ransomware demands have increased rapidly to $36,000 in the second quarter of 2019. But this number understates the risk as perpetrators have adopted a more sophisticated pricing model which charges larger organizations much higher ransoms to unlock their data. Rivera Beach, FL, for example, had to pay $600,000 to unlock the city records encrypted by a ransomware gang while Korean hosting company Nayana paid $1m to unlock 3,400 hosted websites. Refusing to pay can cost even more as Norwegian aluminum maker Norsk Hydro learned when they spent $58m in the first half of 2019 to remediate the ransomware attack they experienced in March. The company’s Q1 profit also fell 82% due to production downtime caused by the attack. The implications for security professionals of these trends are clear. The time has come to move from a strictly defensive posture vis-à-vis ransomware to a more offensive strategy focused on finding and fixing vulnerabilities that can be exploited by ransomware.

98% of ransomware profits went through the cryptocurrency trading platform BTC

Windows 7 is due to reach End Of Life (EOL) on 14 January 2020, but a large number of the world's computers, most in corporate environments, are still running the nine-year-old system.

Microsoft ended mainstream support for Windows 7 in January 2015, with extended support running till 14 January 2020. Businesses that fail to migrate in time will be saddled with high fees for further support from Microsoft.

This End of Life means no more bug-fixes, security patches or new functionality, making any user - personal or enterprise - significantly more susceptible to malware attacks. Just as it did with Windows XP, Microsoft will continue to offer support for those Windows 7 users still reluctant to upgrade to its Windows 10 OS, but at the significant monetary expense.  Using an outdated operating system also makes your computer particularly vulnerable to cyber-attacks, including but not limited to phishing and ransomware exploits.

If you would like to learn more about Windows 7 End of Life risk mitigation, please contact CyberSecOp at the following support@cybersecop.com 

Get protected with CyberSecOp, data breach protection for organizations that uses cloud or on-premises solution. CyberSecOp assists organizations with Cyber Security Incident, Ransomware Remediation, Privacy regulations, NIST, ISO 27001, GDPR, HIPAA, PCI, PII, and cyber insurance policies that require you to identify and protect (PII/PCI/PHI). Don’t risk regulatory fines. Stay compliant with CyberSecOp Security Compliance and Cyber Incident Response Services 

There is a current heightened risk of cyber attacks from the Iranian Government, which has vowed to retaliate against the United States for the death of Qassem Soleimani. Given Iranian capabilities and history, U.S. entities should prepare for the increased possibility of cyber-attacks.

What is most concerning about Iran's cyber-attack history, is that it particularly targets the U.S. financial services industry. In June 2019, the U.S. government advised that it observed a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” Iranian attackers are increasingly using highly destructive attacks that delete or encrypt data.

Dept. of Financial Services (DFS), Dept. Of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) strongly recommend that all U.S. entities heighten their vigilance against cyber attacks. All entities should be prepared to respond quickly to any suspected cyber incidents. Historically, Iranian-sponsored hackers have primarily relied on common hacking tactics such as email phishing, credential stuffing, password spraying, and the targeting of unpatched devices.

DFS, DHS, and the FBI recommend that all entities ensure all vulnerabilities are patched/remediated (especially publicly disclosed vulnerabilities). It is also important to ensure that employees are adequately trained to deal with phishing attacks; implementation of multi-factor authentication; disaster recovery plans are reviewed and updated, and prompt response to further alerts from the government or other reliable sources is provided. It is particularly important to ensure that any alerts or incidents are given a prompt response (even outside of regular business hours). Iranian hackers are known to prefer attacking over the weekends and at night - precisely because they know that weekday staff may not be available to respond immediately.

Cyber Security Bulletin

1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.                   

The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyberattacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.

2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.     

According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.    

3) Traditional perimeter-based security is not enough for cyberattacks.
According to Verizon’s Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.

4. There is a cyber attack every 39 seconds.
 By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.

For more information or if you have any concerns over heightening cybersecurity at your firm, please contact us at Support@cybersecop.com