In deze aflevering behandelen we nieuws over Citrix en Microsoft kwetsbaarheden en de hack van Jeff Bezos
Door: Lex Borger | 27 januari 2020
Kwetsbaarheid in Citrix ADC en Citrix Gateway servers
Ernstige kwetsbaarheid in Citrix producten die zouden kunnen leiden tot uitvoering van arbitraire code door een ongeauthenticeerde gebruiker.
A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments.
Per 24 January: Citrix has released fixes in the form of refresh builds across all supported versions of Citrix ADC, Citrix Gateway, and applicable appliance models of Citrix SD-WAN WANOP.
Het NCSC raadt u in ieder geval aan Citrix ADC en Citrix Gateway servers uit te schakelen, als uw organisatie niet voor donderdag 9 januari 2020 door Citrix geadviseerde mitigerende maatregelen heeft getroffen.
De meeste Nederlandse ministeries haalden vrijdagavond de Citrix-servers offline vanwege een beveiligingslek, waardoor minder ambtenaren thuis kunnen werken. Hierdoor verwacht de ANWB meer drukte op de weg. Overheidsmedewerkers gebruiken Citrix normaliter om in te loggen op het interne netwerk van ministeries.
To help organizations identify compromised systems associated with CVE–2019–19781, FireEye and Citrix worked together to release a new tool that searches for indicators of compromise (IoC) associated with attacker activity observed by FireEye Mandiant. This tool is freely accessible in both the Citrix and FireEye GitHub repositories.
Remember, the tool will not make an assertion that a system has not been compromised. The tool will only state when IoCs are identified. It will also not provide formal malware family names of all malicious tools and scripts identified on compromised systems, nor will it identify the existence of all malware or evidence of compromise on the system. The tool is limited to the tool-related indicators that FireEye is aware of at the time of release of the tool or tool-related indicators.
Meerdere grote Microsoft kwetsbaarheden
Meerdere ernstige kwetsbaarheden in Microsoft producten die zouden kunnen leiden tot uitvoering van arbitraire code door een ongeauthenticeerde gebruiker.
The certificate-validation flaw exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the bug by using a spoofed code-signing certificate to sign a malicious executable so the file appears to be from a known and trusted source. The move could trick both users and anti-virus software, the DHS explains in an emergency directive on today’s patches. Neither a user nor the AV program would know a file was malicious.
One of the first researchers to announce successfully creating an exploit was Saleem Rashid, who published a couple of screenshots apparently showing the vulnerability being used to forge TLS certificates. A few others claim that they have managed to exploit the flaw to sign malicious binaries.
While some researchers have yet to make their PoC exploits public, others have done so. Kudelski Security has published a PoC exploit and it has set up a demo website that uses a forged certificate recognized by Windows as being trusted.
Microsoft today also disclosed multiple Windows RDP bugs. CVE–2020–0609 and CVE–2020–0610 are critical Windows RDP Gateway Server remote code execution vulnerabilities that exist when an unauthenticated attacker connects to a target system using RDP and sends specially crafted requests. Both are pre-authentication and require no user interaction; to exploit them an attacker would need to send a specially crafted request to a target system’s RD Gateway via RDP. The two vulnerabilities affect Windows Server 2012 and newer.
De analyse van de hack van Jeff Bezos’ telefoon
In 2018 werd de mobiele telefoon van Jeff Bezos gehackt. Als gevolg hiervan liep zijn huwelijk op de klippen. Jeff heeft laten uitzoeken wat er gebeurd is, met een paar verrassende uitkomsten.
The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, … Large amounts of data were exfiltrated from Bezos’s phone within hours, according to a person familiar with the matter.
The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group’s Pegasus–3 malware, a product widely reported to have been purchased and deployed by Saudi officials. This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.
The Special Rapporteurs note that the allegations regarding the hacking of Bezos’ mobile phone are also consistent with the widely reported role of the Crown Prince in leading a campaign against dissidents and political opponents. The hacking of Mr. Bezos’ phone occurred during a period, May-June 2018, in which the phones of three close associates of Jamal Khashoggi, Yahya Assiri, Omar Abdulaziz and Ghanem Al Masarir were also hacked, allegedly using the Pegasus malware.