Daily Cyber Briefing 1-20-20 - Citrix Patching and more...

Today is Monday January 20th, 2020 and here are today’s most pressing cyber stories in under 5 minutes. 

Citrix Patches CVE-2019-19781 Flaw in Citrix ADC 11.1 and 12.0

Citrix released permanent fixes for the actively exploited CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances and allowing unauthenticated attackers to perform arbitrary code execution.

"Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here," Citrix's CISO Fermin J. Serna says in an update published today.

"These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.

It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes."

Besides releasing these permanent fixes for the CVE-2019-19781 flaw, Citrix also says that it has fast-forwarded the "availability of permanent fixes for other ADC versions and for SD-WAN WANOP," with the new dates being moved to:

? ADC version 12.1, now January 24

? ADC version 13 and ADC version 10.5, now January 24

? SD-WAN WANOP fixes, now January 24

Citrix advises all customers to apply mitigation measures to ADC versions 12.1, 13, 10.5 and SD-WAN WANOP versions 10.2.6 and 11.0.3 appliances until a permanent fix will be available.

"Once complete, you can use the tool we have previously provided to ensure the mitigations have successfully been applied," Serna added.

"While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible."

An unknown threat actor is scanning for and securing Citrix ADC servers against CVE-2019-19781 exploitation attempts, at the same deploying a backdoor to maintain future access as FireEye researchers discovered.

The Cybersecurity and Infrastructure Security Agency (CISA) released its own public domain tool designed to enable security staff to test if their organizations' servers are vulnerable on January 13, while the Dutch National Cybersecurity Centre (NCSC) advised companies four days ago to shut down vulnerable Citrix appliances until a reliable fix is available.

FBI: Nation-state actors have breached two US municipalities

Nation-state hackers breached the networks of two US municipalities last year, the FBI said in a security alert sent to private industry partners last week.

The hacks took place after attackers used the CVE-2019-0604 vulnerability in Microsoft SharePoint servers to breach the two municipalities' networks.

The FBI says that once attackers got a foothold on these networks, "malicious activities included exfiltration of user information, escalation of administrative privileges, and the dropping of webshells for remote/backdoor persistent access."

"Due to the sophistication of the compromise and Tactics, Techniques, and Procedures (TTPs) utilized, the FBI believes unidentified nation-state actors are involved in the compromise," the agency said in its security alert.

The FBI could not say if both intrusions were carried out by the same group. The agency also did not name the two hacked municipalities; however, it reported the two breaches in greater detail, listing the attackers' steps in each incident.

One incident was: 

An unpatched SharePoint server was utilized to gain access to a US municipality's network, steal the Active Directory (AD) database, compromise administrative credentials, and drop webshells for remote/backdoor access to the compromised servers.

Four aspxwebshells, all of which appeared to be variants of commonly available or open source webshells, were uploaded to the compromised SharePoint server and used to facilitate additional access. The cyber actors uploaded a variety of publicly available and open-source credential harvesting tools, such as Mimikatz, PowerSploit framework and PSEXEC to the C:\ProgramData\directory. The actors named most of the tools with single-letter filenames (e.g., k.exe and h.bat) before deploying them to other systems on the network.

The SharePoint server was used as a pivot point on the network, allowing unauthorized access via compromised local administrator credentials. At least five machines on the municipality's network contained evidence of similarly named executables staged in the C:\ProgramData\directory. Over 50 hosts on the network showed evidence of Mimikatz execution. There is also evidence that the actors used the kerberoasting technique to target Kerberos service tickets. The actors were able to successfully gain access to several domain administrator accounts.

The intrusion appears to have been detected while the actors were still in the reconnaissance phase of the intrusion, so their actual objectives on target could not be determined. 

The Second Incident was as follows:

In October 2019, a second US municipality's network was targeted by unauthorized users. Intrusion activity was detected when Command and Control (C2) communications were discovered from the DMZ network segment.

The website was missing patches, leading to the compromise. The cyber actors utilized existing network monitoring infrastructure, as well as third-party services, to move laterally within the DMZ. The activity was detected when the malicious actors gained access to two other hosts in the DMZ segment -a SQL server and a Microsoft Exchange server acting as an SMPT forwarder. These servers are part of the AD domain, and activities indicative of the AD service targeting were detected.

The attacks on US municipalities are not isolated cases, nor are they the first attacks where the CVE-2019-0604 SharePoint vulnerability has been used.

Throughout 2019, this particular SharePoint vulnerability was one of the most exploited security flaws, by both financially motivated cybercriminals, but also nation-state-sponsored cyber-espionage groups.

The first attacks detected in the wild were discovered by Canadian Centre for Cyber Security in late April, when the agency sent out a security alert on the matter. The Saudi National Cyber Security Center (NCSC) confirmed a similar wave of attacks a week later, in early May.

Both cybersecurity agencies reported seeing attackers take over SharePoint servers to plant a version of the China Chopper web shell, a type of malware installed on servers that allows hackers to control hacked (SharePoint) servers.

Neither agency named the perpetrators of these attacks, but US cyber-security firm Palo Alto Networks linked the two reports to APT27 (Emissary Panda), a hacking group with ties to the Chinese government. It is unclear if the same Chinese hacking group was also behind the attacks on the two US municipalities.

Throughout the year, attacks using this bug only intensified, as various hacking groups began realizing this a vulnerability that was both easy to exploit, there were plenty of companies that had failed to patch, and attacks usually yielded access to lots of high-value corporate targets.

In the security alert it sent out last week, the FBI reported seeing spikes in scanning activity targeting the CVE-2019-0604 SharePoint vulnerability in May, June, and October 2019, which only confirms what was learned from sources about an increase in the number of SharePoint attacks as 2019 progressed.

Scans and attacks using this vulnerability were aided by the presence of a large number of technical write-ups explaining the bug, along with an excess of demo exploit code made freely available by security researchers that attackers could choose from and customize to their needs. But in 2019, a year when we had vulnerabilities like BlueKeep, DejaBlue, and the numerous VPN security flaws, the SharePoint bug went under the radar, despite some pretty intense scanning activity, and even confirmed attacks carried out by nation-state hacking groups.

Prior to last week's FBI security alert, there was no any other similar security notification sent out by other major cyber-security agencies -- such as DHS CISA or the UK NCSC.

In hindsight, attacks are expected to continue, as there are still a large number of unpatched SharePoints servers online, despite the patch nearing its one-year anniversary next month.

One of the reasons so many servers remain unpatched is because Microsoft fumbled the patching process. It took the company three patches to completely fix this issue, with fixes delivered in February, March, and April. Some companies might have installed the February patch, thinking they are safe, but not knowing there was a more complete patch made available in April.

As several cyber-security experts have pointed out on Twitter, this vulnerability is pretty bad, and organizations should look into verifying they installed al three patches. The sense of urgency in addressing this should be easy to understand.

The bug is a so-called pre-auth RCE (pre-authentication remote code execution). Pre-auth RCEs are extremely attractive to attackers as they are easy to automate and exploit. Second of all, SharePoint is a very popular product, with Microsoft boasting with more than 200,000 installs across the globe, making this a huge attack surface, most of which are high-value government organizations and big corporations.

Free ransomware decryption tool just got a handy update

A free decryption tool for a form of ransomware which has plaguing victims 2017 has just been updated with additional capabilities to make it more effective at returning encrypted files - without the need to give into the demands of cyber criminals.

Paradise ransomware typically arrives in a malicious document attached to a phishing email, which if executed, will encrypt the victim's files. Crooks then demand a ransom paid in bitcoin for their return. 

Extensions of files locked with Paradise typically include “.paradise", ".2ksys19", ".p3rf0rm4", and ".FC" – and the ransomware can also encrypt back-ups in a move designed to ensure that the victim gives in and pays the ransom.

Security researchers at Emsisoft first released a free decryption tool for Paradise ransomware in November last year – and now they've updated it with additional capabilities to make it even more effective. Now the Paradise ransomware decryption tool can also decrypt files locked with ".stub", ".corp" and "vacv2" extensions.

The decryption tool can be downloaded directly from Emsisoft – which as of January 2020, has been downloaded over 11,000 times. The Paradise decryptor is also downloadable via Europol's 'No More Ransom' portal.

Paradise is sold to prospective criminal users 'as-a-service', providing those distributing it in their own campaigns with a simple means of deploying attacks and collecting ransoms – with the original authors taking a cut of any ransoms which are paid.

Researchers at Bitdefender – who've also released a free decryptor for Paradise – note that when executed on a Windows machine, the ransomware will check whether the keyboard language is set to Russian, Kazakh, Belarus or Ukrainian; if this is the case, the ransomware won't encrypt files and exits the system, something which likely points to the authors being from somewhere in this part of the world.

While victims of Paradise have the option to retrieve their encrypted files for free, ransomware remains successful because despite warnings from the authorities not to, a significant number of those organizations which fall foul of ransomware opt to give into the extortion demands of cyber criminals.

In many cases, organizations revert to this because they don't have backups – or the ransomware has also encrypted their backups as part of the attack - and want to get their operations resumed as soon as possible. However, by making sure they have regularly updated offline backups of their systems, organizations can avoid falling victims to this kind of malware.

ADP Users Hit with Phishing Scam Ahead of Tax Season

Cybercriminals eager to jump-start tax season have launched a phishing campaign targeting some ADP users, telling them their W-2 forms are ready and prompting them to click a malicious link.

Links embedded in the fraudulent email redirect users to a phishing website designed to look like an ADP login page. These domains were registered the same day as the attack, note AppRiver researchers who discovered the campaign. From there, attackers can steal the ADP usernames and passwords of unsuspecting victims who fall into the trap.

With an employee's ADP credentials in hand, an attacker can commit any number of malicious activities. They could possibly expose bank account numbers or change their direct deposit information and redirect payments to attacker-controlled accounts, a potentially lucrative tactic if the employer doesn't require two-factor authentication (2FA) for this type of important change.

An attacker could also access a range of personal data including name, birth date, physical address, pay stubs, or Social Security number — all the information they'd need to commit identity theft. They could also locate an employee's tax documents, which could be used to file fraudulent tax returns on the worker's behalf and redirect the funds to attackers' accounts.