Skip to main content

Severe Citrix Flaw & Sodinokibi goes public

Severe Citrix Flaw & Sodinokibi goes public

Today is Thursday, January 13th, 2020 and here are today’s most pressing cyber stories in under 5 minutes.

 

Severe Citrix Flaw: Proof-of-Concept Exploit Code Released

Technology giant Citrix says it's racing to develop patches to fix a severe flaw in its software, for which proof-of-concept exploit code has now been released. Security experts say tens of thousands of organizations are at risk from the flaw, which was first disclosed last month, and which could give attackers remote access to corporate networks.

 

On Saturday, a group calling itself Project Zero India - a cheeky nod to Google's Project Zero bug-hunting team - published proof-of-concept code for the vulnerability. Designated CVE-2019-19781, the directory traversal flaw has been present in Citrix's code for nearly six years but only came to light - at least publicly - in December 2019. 

Project Zero India's dump of the exploit code prompted consultancy TrustedSec to shortly thereafter release its own proof-of-concept exploit code.  "This was only uploaded due to other researchers publishing their code first," TrustedSec writes in a post on GitHub.

"We would have hoped to have had this hidden for a while longer while defenders had appropriate time to patch their systems. We are all for responsible disclosure. In this case, the cat was already out of the bag." Other security experts have said that once the flaw came to light, they were able to build a working exploit in little time. 

The directory traversal flaw exists in Citrix's Application Delivery Controller and Gateway. Citrix has warned that the flaw is remotely exploitable and could allow access to applications and the internal network.

Hackers Increasingly Probe North American Power Grid

Hackers have been demonstrating fresh interest in the North American electric sector's network and computer infrastructure, security researchers warn. But experts also say that the sector is increasingly well-prepared to identify and repel attackers, and that launching disruptive or destructive attacks remains a difficult, laborious, time-consuming and geopolitically dangerous process for nation-state hackers.

 

The potential threat posed by attackers, however, continues to increase, based on increasing reconnaissance of electric sector networks, says industrial cybersecurity firm Dragos. It notes that 11 of the approximately 30 hacking groups that it tracks, which target critical infrastructure sectors and industrial control systems, now appear to have at least some focus on the electric sector in North America.

Such groups include Xenotime, which originally targeted oil and gas companies, including launching Trisis - aka Triton - malware against an undisclosed oil and gas firm in Saudi Arabia, before expanding its focus to targets in the U.S. as well as across Europe, Australia, and the Middle East.

Another group now focusing on the North American electricity generation sector is Magnallium, which since 2013 has been tied to attacks against energy and aerospace firms.

The imperative for electricity providers, as well as the broader critical national infrastructure, including any organization that operates ICS or supervisory control and data acquisition systems, remains the same, experts say: Be prepared.

 

All power grid operators must ensure they have defenses in place against the latest types of online attacks - including the latest malware, not least because wiper and blended attacks have previously been leveled at utilities.

 

To date, ICS environments have been relatively immune to online attacks because every environment is unique, meaning that attackers bent on crashing a local power grid or some other environment would need time, money and patience to study the network and determine how to disrupt it.

 

Texas school district falls for email scam, hands over $2.3 million

A successful phishing scam has left a Texan school district $2.3 million out of pocket.  Last week, the Manor Independent School District, in Manor, Texas, said an inquiry is underway to track down the cybercriminals responsible for the fraudulent email campaign. Phishing emails were sent to the organization in November, leading to three separate transactions taking place. An employee uncovered the scheme a month later, leading to the Manor police force and the FBI's involvement.  

However, the nature of the emails and who fell for them is not yet known.  

The Manor Independent School District serves over 9,000 students. In a release, the school district said that an investigation is ongoing and there are "strong leads," but law enforcement is requesting any information others may have to track down the cyberattackers.  At this stage, it is uncertain if the money can be recovered.

Sodinokibi Ransomware Publishes Stolen Data for the First Time

For the first time, the operators behind the Sodinokibi Ransomware have released files stolen from one of their victims because a ransom was not paid in time.

Since last month, the representatives of the Sodinokibi, otherwise known as REvil, have publicly statedthat they would begin to follow Maze's example and publish data stolen from victims if they do not pay a ransom. While there have been threats made against Travelex and CDH Investments, they have not carried through with them.

This all changed today when the public representative of Sodinokibi stated they beginning to "keep promises" as they posted links to approximately 337MB of allegedly stolen victim files on a Russian hacker and malware forum. They claim this data belongs to Artech Information Systems, who describe themselves as a "minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S", and that they will release more if a ransom is not paid.

Share Everywhere