Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Cyber Weekly Flash Briefing 14 August 2020: Travelex goes bust following ransomware, Microsoft fix 120 vulns inc two zero-days, more ransomware victims paying up, Cloud misconfigurations create risks
Cyber Weekly Flash Briefing 14 August 2020: Travelex Forced into Administration After Ransomware Attack, Microsoft fixes 120 vulnerabilities inc two zero-days, More ransomware victims are paying up, Misconfiguration #1 Cloud Security Threat, Beware What You Ask Amazon Alexa, Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google, Google and Amazon are now the most imitated brands for phishing
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Travelex Forced into Administration After Ransomware Attack
Ransomware victim Travelex has been forced into administration, with the loss of over 1000 jobs.
PwC announced late last week that it had been appointed joint administrators of the currency exchange business.
The Sodinokibi (REvil) ransomware variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.
Why this matters:
Firms of any size can call victim to ransomware and many firms will not survive a significant cyber event such as this. Unconfirmed reports at the time suggested that a critical unpatched vulnerability in a VPN (Virtual Private Network) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored. This again shows the importance of ensuring all security updates are applied quickly. Has this software had the security updates applied those vulnerabilities would not have been able to be used in this attack.
Read more: https://www.infosecurity-magazine.com/news/travelex-forced-administration/
Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Microsoft’s August 2020 Patch Tuesday security updates fell this week and this month the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.
Among these 120 vulnerabilities, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide a fix.
Why this matters:
All security updates should be applied as soon as possible to prevent vulnerabilities from being exploited in attacks. When vulnerabilities are announced criminals will waste no time in weaponizing them (creating exploits to use in attacks) so the quicker the vulnerabilities are closed the safer you will be.
More ransomware victims are paying up, even when data recovery is possible
The proportion of ransomware attack victims actually paying ransoms increased in the last quarter, even in instances where ransomed data could be recovered, new figures have revealed.
According to a commercial ransomware recovery service, data exfiltration attacks are becoming more common and blending with traditional ransomware hacks. Data exfiltration extortion involves an attacker taking possession of stolen data and putting it up for sale on forums or marketplaces. Once monetised, the hacker asks the victim to pay a ransom to prevent the information’s release.
The recover firm added that tools currently on the market vary wildly when it comes to data recovery success following a ransomware attack. What’s more, the company has noted an uptick in the number of companies experiencing operating system and registry corruption even after ransomed data is restored.
Why this matters:
It used to be that backups were the best defence against ransomware attacks, but if your data is stolen a backup won’t help you avoid having to pay out to keep your sensitive or confidential data out of the public domain.
Intel, SAP, and Citrix release critical security updates
Intel released 18 advisories, including fixes for Denial of Service, Information Disclosure and Elevation of Privilege flaws affecting various products on Windows, Chrome OS and Linux OS.
SAP’s released 15 security notes and an update to a previously released one to address flaws in a variety of offerings, including SAP ERP, SAP Business Objects Business Intelligence Platform, SAP S/4 HANA and various SAP NetWeaver components.
Citrix’s has released patches for a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (aka XenMobile Server).
Why this matters:
Security upgrades should always be applied as soon as possible. Whether announced vulnerabilities are already being exploited or not as they become known they likely will be exploited and patching them (applied the fixes made available) prevent them from being exploited.
Read more: https://www.helpnetsecurity.com/2020/08/12/intel-sap-citrix-security-updates-august-2020/
IT Pros Name Misconfiguration #1 Cloud Security Threat
Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals.
A security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.
Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.
The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%).
These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.
This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organisations are using two or more public cloud providers — adding to the complexity.
Why this matters?
Organisations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes
Read more: https://www.infosecurity-magazine.com/news/misconfiguration-error-cloud/
RedCurl cybercrime group has hacked companies for three years
Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group have been detailed in a 57-page report released this week.
Researchers have been tracking the group since the summer of 2019 and have since identified 26 other RedCurl attacks, carried out against 14 organisations, going as far back as 2018.
Why this matters:
This Russian group have targeted victims across different countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK. Many firms could fall victim to cyber crime groups like this if their defences are not able to withstand such attackers.
Read more: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/
Why You Must Beware What You Ask Amazon Alexa
The same cyber team that cracked open TikTok, WhatsApp, Microsoft’s cloud and even Philips lightbulbs has just turned its attention to Amazon’s Alexa. And, unsurprisingly, it hasn’t disappointed. After “speculating” that Amazon’s 200 million devices “could be a prime entry-point for hackers,” Check Point Research has just lifted the lid to unmask “serious security flaws in Alexa.” According to the team, “in just one click, a user could have given up their voice history, home address and control of their Amazon account.”
Why this matters:
Warnings about the dangers of smart speakers and their extended families of virtual assistants are not new. These are the same devices that causes such scandal last year, when it transpired humans were listening to conversations to better train the AI. The issue here is different, much more akin to the broader problem of IoT security. Every different gadget you connect to the internet becomes a potential vulnerability and the methods needed to crack Amazon’s devices were not particularly sophisticated.
Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google
A star engineer who admitted stealing self-driving car secrets from Google has been sentenced to 18 months in prison.
Anthony Levandowski, who helped found Google's self-driving car project, now known as Waymo, pleaded guilty to downloading documents containing data about the company's work and accessing one of them after he had left to found his own trucking startup.
Sentencing him in a San Francisco court, the judge said he was imposing prison time as a deterrent.
An early star in the self-driving car scene, Mr Levandowski pushed for Google to develop the technology but later became disillusioned, leaving in early 2016 to start trucking company Otto, which was bought by Uber less than eight months later.
Waymo sued Uber, a case which was settled in 2018, with Uber paying out $245m (£187m) in equity and agreeing not to use its technology.
Uber had signed an indemnification agreement with Mr Levandowski, forcing it to pay his legal fees, but has refused to pay a $179m debt he owes to the Google spin-out, a consequence of separate legal action relating to his departure.
Why this matters:
Your staff present one of your biggest risks, and a disgruntled or disillusioned employee can be very dangerous. The theft of intellectual property for personal gain is a classic example of this kind of behaviour. Data Loss Prevention (DLP) systems can help to spot unusual behaviour in employees and detect sensitive data being extracted from corporate systems.
Google and Amazon are now the most imitated brands for phishing
You may want to think twice about opening that email claiming to be from Google or Amazon, after new research found the tech giants were being used as lures for phishing scams.
Earlier this year, Check Point revealed that Apple was the most imitated brand for phishing, but over the course of the last few months, the iPhone maker has fallen to seventh place with Google and Amazon now taking the top spots.
Why this matters:
Phishing is estimated to be the starting point of over 90 percent of all cyberattacks and according to Verizon's 2019 Data Breach Investigations Report, nearly one third (32%) of all data breaches involved phishing activity. Additionally phishing was present in 78 percent of cyber espionage incidents and the installation and use of backdoors in company networks.
Read more: https://www.techradar.com/news/google-and-amazon-are-now-the-most-imitated-brands-for-phishing
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60 second video flash briefing
UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors
A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.
Read more here: https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory
Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf
Travelex paid $2.3M in Bitcoin to get its systems back from hackers
Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.
The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.
Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.
Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.
Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.
At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.
Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess
The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.
The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.
Read more here: https://mspoweruser.com/zoom-ciso-hires-ex-facebook-cso-clean-its-mess/
Researchers discover IoT botnet capable of launching various DDoS attacks
Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.
According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.
Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.
Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.
Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/
Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees
Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.
Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.
“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”
Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/
Stolen Zoom account credentials are freely available on the dark web
Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.
The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.
Read more: https://betanews.com/2020/04/08/zoom-account-credentials-dark-web/
Shadow IT Represents Major #COVID19 Home Working Threat
Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.
A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.
It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.
These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.
Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.
These challenges are only going to grow, according to the research.
Read more here: https://www.infosecurity-magazine.com/news/shadow-it-covid19-home-working/
'Unkillable' Android malware gives hackers full remote access to your phone
Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.
A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.
The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.
Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.
xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.
Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android
BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.
The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.
The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.
Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).
More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats
Bot traffic fueling rise of fake news and cybercrime
The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.
At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.
A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.
According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.
The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.
Read more here: https://www.techradar.com/news/bot-traffic-fueling-rise-of-fake-news-and-cybercrime
Week in review 12 January 2020 – Office 365 Phishing, Firms Hit Once Per Minute, Dixons Carphone fined, Travelex hackers threaten to sell data, Firefox zero-day exploit, Citrix scanned for vulns
Week in review 12 January 2020 – Office 365 Phishing Attacks, Firms Hit Once Per Minute in 2019, Dixons Carphone Fined for Breach, Travelex hackers threaten to sell credit card data, Mozilla patches actively exploited Firefox zero-day, Hackers probe Citrix servers for remote code execution vulnerability
Week in review 12 January 2020 – Office 365 Phishing Attacks, Firms Hit Once Per Minute in 2019, Dixons Carphone Fined for Breach, Travelex hackers threaten to sell credit card data, Mozilla patches actively exploited Firefox zero-day, Hackers probe Citrix servers for remote code execution vulnerability
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Office 365 users: Beware of phishing emails pointing to Office Sway
One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.
The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because either it was sent from an onmicrosoft.com email address or it includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn). The email pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.
Read more here: https://www.helpnetsecurity.com/2020/01/10/phishing-office-sway/
Cyber-Attacks Hit UK Firms Once Per Minute in 2019
UK businesses were deluged with cyber-attacks in 2019, with the average firm hit by over half a million attempts to compromise systems, according to new report.
A UK-based business Internet Service Provider (ISP) extrapolated the findings from data on its own corporate customers across the country.
It calculated the average number of attacks aimed at a single business last year was 576,575, around 152% higher than the 281,094 recorded in 2018 and the highest since the ISP began analyzing this kind of data in 2016.
That means UK businesses were forced to repel 66 attacks per hour on average in 2019.
The firm identified 1.8 million unique IP addresses responsible for the attacks last year, just under a fifth (18%) of which were located in China. However, this is more an indication of the sheer number of potentially hijacked machines based in the country rather than the origin of the attackers.
There was a fairly big drop to second placed Brazil (7%), which was followed by Taiwan (6%) and Russia (5%) in terms of originating IP addresses for attacks.
Attackers most commonly targeted network device admin tools and IoT endpoints like connected security cameras and building control systems, according to Beaming. These suffered 92,448 attacks in total last year, while 35,807 were targeted at file sharing applications.
Read the full article here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-firms-once-per/
Dixons Carphone Receives Maximum Fine for Major Breach
A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.
Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after Point of Sale (POS) malware was installed on 5390 tills.
The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.
The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.
More information here: https://www.infosecurity-magazine.com/news/dixons-carphone-receives-maxi-fine/
Travelex hackers threaten to sell credit card data on dark web
Cyber gangsters have stepped up the pressure on Travelex to pay a $6m ransom to decrypt the company’s data by issuing a new threat to sell personal data about its customers on the dark web.
The threat comes after a cyber crime group used sophisticated malware, known as Sodinokibi or REvil, to encrypt the currency exchange’s computer files, forcing the company to switch off its worldwide computer network.
Travelex, which has hired computer experts to investigate the incident, said on 9 January that it was making progress in bringing its systems back online and that there was “still no evidence to date that any data has been exfiltrated”.
The attack has disrupted Travelex operations for 10 days, leaving the firm’s customers unable to collect foreign currency orders, use the Travelex app, or pay for currency using credit cards. This has led to widespread complaints from customers.
Over a dozen banks, including the Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, which rely on Travelex to provide services, have also told customers they are unable to take orders for foreign currency.
The crime group has stepped up pressure on Travelex, which has operations in 70 countries, by threatening to sell personal data collected from the company, including credit card details, on a Russian cyber crime forum.
Read the full article here: https://www.computerweekly.com/news/252476526/Travelex-hackers-threaten-to-sell-credit-card-data-on-dark-web
PayPal Confirms ‘High-Severity’ Password Security Vulnerability
PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker. The problem, which was disclosed on January 8 was patched by PayPal on December 11, 2019.
Read more here: https://www.forbes.com/sites/daveywinder/2020/01/10/paypal-confirms-high-severity-password-security-vulnerability/#42f496561b50
Mozilla patches actively exploited Firefox zero-day
Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.
Read more here: https://www.helpnetsecurity.com/2020/01/09/cve-2019-17026/
Hackers probe Citrix servers for weakness to remote code execution vulnerability
Cyberattackers are performing scans to find Citrix servers vulnerable to a critical security flaw.
Disclosed in December, the severe vulnerability, tracked as CVE-2019-19781, impacts the Citrix Application Delivery Controller (ADC) -- also known as NetScaler ADC -- alongside Citrix Gateway, formerly known as NetScaler Gateway. The critical vulnerability permits directory traversal and if exploited permits threat actors to conduct Remote Code Execution (RCE) attacks.
Researchers have estimated that at least 80,000 organizations in 158 countries are users of ADC and could, therefore, be at risk. Companies in the firing line are predominantly based in the US -- roughly 38 percent -- as well as the UK, Germany, the Netherlands, and Australia.
Read more here: https://www.zdnet.com/article/hackers-probe-unsecured-citrix-servers-for-netscaler-vulnerability/