The company’s ESG appliances were breached, but their other services remain unaffected by the compromise. Read More
Related Posts
Crysis Ransomware Attacks RDP Servers to Deploy Ransomware
Crysis Ransomware Attacks RDP Servers to Deploy Ransomware
Recently, the cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) found that the operators of Crysis ransomware are actively utilizing the Venus ransomware in their operations.
Both Crysis and Venus are well-known for targeting the remote desktop services that are externally exposed, and it been revealed that the attacks are being launched via RDP by the AhnLab Smart Defense (ASD) logs.
Apart from this, Crysis and Venus are not alone, as the threat actor also deployed several other tools like:-
Port Scanner
Mimikatz
While such malicious tools can also target the infected systems within the internal network of the company.
Crysis Ransomware Attack
Threat actors exploit RDP as an attack vector, and they seek active and externally accessible systems.
Vulnerable systems face brute force or dictionary attacks, and weak account credentials enable threat actors to gain access to those accounts effortlessly.
To perform a variety of malicious actions and activities, the obtained credentials enable threat actors to control systems via RDP.
Here, the Venus ransomware makes use of RDP as the attack vector, generating multiple malware types through explorer.exe, a legit Windows Explorer process.
Installation log for various malware (Source – AhnLab)
In past attacks, the threat actor tried Crysis ransomware for encryption but failed. Instead, they attempted Venus ransomware for encryption afterward.
Before Venus, tried Crysis (Source – AhnLab)
Moreover, the threat actor continually used Crysis ransomware to attack other systems, and they targeted externally exposed RDP services similarly.
Once successful, the attacker accessed and infected other systems with Crysis ransomware via RDP. In the infected system, the threat actor deploys diverse malware types, and the scanners and credential theft tools are installed from NirSoft.
Here below, we have mentioned all the tools that are used in the attacks:-
Venus Ransomware
Crysis Ransomware
Mimikatz
Web Browser Password Viewer – NirSoft
Mail PassView – NirSoft
VNCPassView – NirSoft
Wireless Key View – NirSoft
BulletsPassView – NirSoft
RouterPassView – NirSoft
MessenPass (IM Password Recovery) – NirSoft
Remote Desktop PassView – NirSoft
Network Password Recovery – NirSoft
Network Share Scanner
Threat actor hijacks system using RDP and scans network with the help of tools that we have mentioned above to check if the infected system belongs to a specific network.
If so, ransomware conducts internal reconnaissance, gathers account credentials, and encrypts other network systems.
Mimikatz aids this process, and the collected account info enables lateral movement to network systems. While in a Crysis attack, the threat actor employs RDP for lateral movement within the network.
Upon successful execution of Crysis ransomware, users would have been confronted with the subsequent ransom note.
Crysis Ransom note (Source – AhnLab)
Threat actor copies files to the Download folder, including bild.exe_ for Venus ransomware, and to encrypt additional files it terminates the following things:-
Office
Email clients
Databases
On successful deployment, the Venus ransomware alters the desktop and then it presents the user with a README file that warns info is stolen, files encrypted and prompts users to establish contact within 48 hours.
Venus Ransom note (Source – AhnLab)
Recommendations
RDP services are actively exploited by the threat actors for initial compromise and lateral movement, that’s why security analysts have strongly recommended:-
Make sure to deactivate unused RDP to reduce attempts.
Always use strong passwords.
Make sure to change passwords periodically.
Ensure to update V3 to prevent malware.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
The post Crysis Ransomware Attacks RDP Servers to Deploy Ransomware appeared first on Cyber Security News.
Cyber Security News
Case Study: The Cookie Privacy Monster in Big Global Retail
Case Study: The Cookie Privacy Monster in Big Global Retail
Explore how an advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn’t anything malicious, but with modern web environments being so complex, mistakes can happen, and non-compliance fines can be just an oversight away.Download the full case study here.
As a child, Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Over 15000+ Citrix Servers Vulnerable to Code Injection Attacks
Over 15000+ Citrix Servers Vulnerable to Code Injection Attacks
Due to an unauthenticated critical RCE bug, formerly exploited as a zero-day in the wild by the threat actors, thousands of Citrix Netscaler ADC and Gateway servers were exposed.
Threat actors exploited this zero-day vulnerability in June 2023 to drop a web shell on a critical infrastructure organization’s NetScaler ADC, leading to AD data exfiltration.
However, at this point, the lateral movement of the threat actors to the domain controller was prevented by the effective network segmentation controls on the appliance.
Cyber security researchers at Shadowserver Foundation recently revealed that over 15000 Critix servers are vulnerable to this critical code injection attack which is tracked as CVE-2023-3519, and not only that, even the Cybersecurity and Infrastructure Security Agency (CISA) also released a Cybersecurity Advisory (CSA).
Citrix Servers Vulnerable Map (Source – Shadowserver)
Flaw Profile
CVE ID: CVE-2023-3519
Description: Unauthenticated remote code execution
CWE: CWE-94
CVSS Score: 9.8
Pre-requisite: Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
Affected Versions of NetScaler ADC & NetScaler Gateway
Here below, we have mentioned all the affected versions of the NetScaler ADC and NetScaler Gateway:-
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC and NetScaler Gateway version 12.1, now end of life
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-65.36
NetScaler ADC 12.1-NDcPP before 12.65.36
Exploitation and Patch
On July 18th, Citrix urgently released security updates for the RCE vulnerability (CVE-2023-3519) after observing exploits on unmitigated appliances, urging immediate patch installation.
The zero-day RCE (CVE-2023-3519) for Citrix ADC was likely circulating online from early July when a threat actor advertised it on a hacker or dark web forum.
Besides this, Citrix also addressed two other high-severity flaws tracked as CVE-2023-3466 and CVE-2023-3467 on the same day – one enabling XSS attacks and the other granting root permissions.
The second flaw, with greater impact, demands authenticated access via IP (NSIP) or SubNet IP (SNIP) to the vulnerable appliances’ management interface.
While the recent order from the CISA mandates the U.S. federal agencies to immediately secure Citrix servers against ongoing attacks by the 9th of August after the bug was exploited to breach a critical infrastructure organization’s systems.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
The post Over 15000+ Citrix Servers Vulnerable to Code Injection Attacks appeared first on Cyber Security News.
Cyber Security News