IT NEWS

A new version of the file archiving software WinRAR fixes two vulnerabilities that could allow an attacker to execute code on a target system. All the victim has to do is to open a specially crafted archive.

After receiving a report about the vulnerability in June, a new version of the software was published on August 2, 2023. Users should install the latest version (WinRAR 6.23 or later) at their earliest convenience.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this update is CVE-2023-40477 (with a CVSS score of 7.8 out of 10).

The vulnerability lies in how the software processes recovery volumes. The issue is due to the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

The update release notification states that another vulnerability was fixed, described as:

“WinRAR could start a wrong file after a user double clicked an item in a specially crafted archive.”

So, until you have installed the new version, it is advisable to be careful when someone sends you an archived file. Opening the archive to scan the content is not a safe option right now.

Given the great many users of WinRAR the impact of these vulnerabilities could be substantial, knowing that similar flaws were abused by hackers in the past to install malware.

Windows 11 users are likely to hold of on installing the latest version, because Microsoft announced their latest operating system (OS) will natively support RAR and some other archive formats.

“We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows.”

Users of a cracked version of the software, which is probably another big group of users, will not be able to install the latest version right off the shelf, so they may remain vulnerable as well.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Sleepless nights, missed threats, a deluge of notifications—the common symptoms of the bane of IT teams everywhere: Alert fatigue.

Out of the litany of problems IT teams face every day, alert fatigue might be among the most pressing—especially considering that 30 percent of EDR alerts are ignored by IT security teams. Simply put, it’s impossible to keep up when your tools aren’t helping you prioritize alerts.

Enter: Alert Prioritization and Guided Remediation.

Alert Prioritization and Guided Remediation is a feature of EDR Extra Strength that helps IT teams cut through the noise, using specialized threat intelligence to highlight the threats that truly need their attention.

But why do traditional approaches to EDR alert ranking lead to alert fatigue? And how does Alert Prioritization and Guided Remediation work to combat it?

Why Traditional EDR Is Inherently Exhausting

At its core, EDR has one job—to generate alerts of suspicious activity. The humans operating EDR also broadly have one job: to interpret and act on that suspicious activity.

But here’s the problem: “suspicious” could mean anything.

Let’s say an alert was generated in response to an employee installing a new piece of software attempting to modify system files. Traditional EDR doesn’t know if this is a benign program—it just flags the activity as suspicious. But “suspicious” could mean that the alert is a false positive, it could mean the alert is malicious but can be safely ignored; it could mean “This is a huge deal.”

In other words, IT teams can’t know how “bad” a suspicious alert is until it is investigated—an impossible task for each of the thousands of alerts generated by EDR daily. The end result is, of course, alert fatigue.

Traditional EDR is inherently exhausting. Without additional context, alerts become just too ambiguous to be actionable, meaning IT teams inevitably end up over-prioritizing less urgent threats while also overlooking severe ones.

How Alert Prioritization And Guided Remediation Works

Alert Prioritization and Guided Remediation helps you cut through the noise of traditional EDR by enriching alerts with external threat intelligence.

In this scenario, when an EDR product generates an alert, Alert Prioritization and Guided Remediation consults the threat intelligence service’s extensive database for relevant data. This data, which could include information from various antivirus solutions and user submissions, helps Alert Prioritization and Guided Remediation assess the legitimacy of the alert, clarifying whether the alert represents a genuine threat or a false positive.

Let’s illustrate using the same example from our section on the limitations of traditional EDR, when an alert was generated after an employee installed a new piece of software.

If threat intelligence data shows, for example, that 50 out of 60 antivirus solutions flagged the same file as malicious, it’s likely not a false positive.

Alternatively, if threat intelligence data shows that only 2 out of 60 antivirus solutions flagged the same file as malicious, it is likely that the alert is a false positive and can be safely ignored.

After the threat is externally validated to be a known bad, we turn to Phase 2: Guided Remediation.

When a prioritized threat is detected, Guided Remediation sends detailed remediation information directly to customers through text and email.

These communications direct customers to an EDR portal page that further details the identified threat, explaining what was found, why it is deemed a priority, and simple steps on how to remediate it. This ensures that users are not only alerted to potential threats, but also equipped with the information needed to take decisive action.

Business benefits to Alert Prioritization and Guided Remediation

Reduced alert fatigue

Alert Prioritization and Guided Remediation helps IT teams massively reduce the volume of alerts that need to be reviewed, saving them much-needed mental to focus on only the most critical threats.

Improved security posture

Alert Prioritization and Guided Remediation of threats allows for quicker detection and response to threats, minimizing attacker dwell time and reducing the potential damage that attackers can cause once in your systems.

Empowers smaller or less experienced teams

With the right solution, highly specialized staff become a less critical requirement when an organization has to keep up with the volume of EDR alerts. Alert Prioritization and Guided Remediation helps to level the playing field, helping smaller IT teams or those with lower levels of specialized security expertise identify and respond to threats on the fly.

Try EDR Extra Strength today

Automation is the name of the game when it comes to preventing burnout—and with Alert Prioritization and Guided Remediation, IT teams can finally ease their alert fatigue burdens.

Interested in learning more? Alert Prioritization and Guided Remediation is a part of our EDR Extra Strength product, which reimagines EDR to deliver superior protection in a single, easy-to-use package.

Get a free trial of Malwarebytes EDR Extra Strength.

Researchers have published details about a phishing campaign that uses QR codes to phish for Microsoft credentials.

A QR (Quick Response) code is a kind of two-dimensional barcode that holds encoded data in a graphical black-and-white pattern. The data that a QR code stores can include URLs, email addresses, network details, Wi-Fi passwords, serial numbers, etc.

While QR codes are generally safe, they can easily be manipulated by scammers because they all appear similar to the human eye. A malicious QR code may lead you to a spoofed website designed to drop different malware types or steal your sensitive data, like your password, credit card information, or money.

The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the pandemic. And because QR codes are images (sent as PNG or PDF attachments in the campaigns reported here) their content is more likely to make it past email filters.

The researchers have been monitoring a campaign since May of 2023 that, although it targeted users from a wide array of industries, seemed to focus on a major energy company based in the US. This undisclosed target received 29% of the over 1,000 emails containing malicious QR codes.

The links in the QR codes used open redirects from legitimate domains associated with Bing, Salesforce, and Cloudflare to send the targets to phishing sites that were after Microsoft credentials. Since the subject of the emails were often spoofed Microsoft security notifications the Bing URLs would not have looked out of place to any victims who noticed them.

The campaign has reportedly shown a significant growth since it was discovered with the volume increased by more than 2,400% since May 2023.

Example of a malicious QR code (courtesy of Cofense)

For cybercriminals, the use of QR codes usually has the disadvantage that they need to be scanned by a mobile device, which is more complex than simply giving targets a link to click on. But in a corporate environment this can also be an advantage as the mobile device might be outside of the protection of the enterprise environment.

The researchers showcase a Bing redirect URL which is likely to be seen as legitimate in light of the other Microsoft mimicry used in this campaign. Many search engines, social media, and other platforms use some form of open redirect, which cybercriminals use to make their links look legitimate. 

Recommendations

When it comes to QR codes they are nearly impossible to recognize as malicious by humans, so it takes some extra attention. Some pointers:

• Treat QR codes like any other link in an unsolicited mail, or possibly even with more caution. If you receive a QR code either in the mail or sent to you by a friend, get in touch with them first and verify that they have indeed sent you the code.
• When scanning a QR code your device should display the site it will take you to. Pay close attention to that link. Be wary of legitimate domains that are known to use redirects and URL shorteners.
• Use the built-in scanner through your smartphone’s camera to scan for QR codes. There is no need to download another one from the app store since there are fake QR code scanners and ones that come bundled with unwanted extras.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Retroactive removals are finally on the way for malicious Chrome browser extensions. Beginning with Chrome 117, Chrome will “proactively highlight to users when an extension they have installed is no longer in the Chrome web store”.

Previously, if you installed an extension which was subsequently unpublished by the developer or removed by Google, the extension you installed would remain in place, even if it was malicious. If, for example, the extension was some sort of data stealer, it would simply continue to steal your data (assuming the infrastructure it sent the data to had not been shut down). 

Now, when an extension is pulled from the web store in one of the following three situations, Chrome users will be notified:

The extension has been unpublished by the developer.

The extension has been taken down for violating Chrome Web Store policy.

The item was marked as malware.

If we’re talking about an “under review” situation, no notification will take place. For example, if a developer is notified that they may have potentially violated one of Google’s policies and has been given time to address or appeal the issue, then a notification will not be triggered.

Violations themselves can result in a wide range of possible outcomes, from immediate suspensions and permanent disabling of extensions to warnings and re-enablement if a violation is addressed to Google’s satisfaction. If the violation involves malware, there’s a good chance there is no way back into Google’s good books. From the violations information page:

The Chrome Web Store Review team has special procedures for egregious policy violations. In cases such as malware distribution, deceptive behavior designed to evade review, repeated severe violations indicative of malicious intent, and other egregious policy violations, more drastic measures are necessary.

To limit the potential for these developers to further harm users, the Chrome Web Store team intentionally does not provide details regarding these violations. Additionally, in more severe cases the developer’s Chrome Web Store account will be permanently suspended.

In the Privacy and Security settings of Chrome, users will find a “Review” option under the Safety Check setting. It will read as follows:

Review [x amount of] extensions that were taken down from the Chrome web store

Clicking the Review button will take users to their extensions page where they will be given the option to remove all listed extensions. They can also choose to hide the warning and keep the extension if they really want to.

Malware is the exception here though. Extensions flagged as malware are automatically disabled, as they have been in previous versions of Chrome. For everything else, Chrome will state the following:

Review these extensions that were taken down from the Chrome web store. These extensions might be unsafe. Chrome recommends that you remove them.

Users can select each flagged extension individually, or just hit a “Remove all” button and wipe the lot in one go. If you don’t want to wait for the new feature to roll out in Chrome 117, Bleeping Computer notes that you can give it a try right now by switching on Chrome 116’s experimental “Extensions Module in Safety Check” feature.

Malwarebytes’ new Trusted Advisor dashboard provides an easy to understand assessment of your security with a single comprehensive protection score, and clear, expert-driven advice.

Computer security can be difficult and time consuming. Getting it right means knowing what software needs to be updated, whether your system settings are configured securely, running active protection that can block and remove malware, and performing regular scans to uncover hidden threats.

Getting it wrong means leaving gaps in your defences that malware, criminal hackers, and other online threats can sneak through.

Trusted Advisor takes away the guesswork by delivering a holistic assessment of your security and privacy in a way that’s easy to understand, making issues simple to correct. It combines the proven capabilities of Malwarebytes with the knowledge of the brightest industry experts to give you an expert assessment that puts you one step ahead of the cybercrooks.

Protection score

At the heart of Trusted Advisor is a single, easy to understand protection score. If you’re rocking a 100% rating then you know you’re crushing it.

If your score dips below 100%, we’ll explain why, and offer you a checklist of items to improve your security.

Trusted Advisor’s recommendations are practical and jargon-free, so they’re easy to understand and action.

Six steps to security

Trusted Advisor monitors six broad categories of information. Each one affects your protection score according to its impact on your overall security:

• Real-Time Protection monitors your computer continuously, stopping and removing threats like malware as they appear. It’s vital for keeping you safe from the most destructive threats and the most common methods of infection, so Trusted Advisor will alert you if you aren’t fully protected.
• Software updates fix the coding flaws that cybercriminals exploit to steal data or put malware on your system. Staying up to date is one of the most important things you can do for your security, so Trusted Advisor has your back here too.
• General settings covers settings within Malwarebytes, Windows, or your network preferences. Trusted Advisor checks for settings that may not be configured correctly. 
• Device scans are routine scans that seek out hidden threats on your system. Malwareybytes’ Smart Scan technology schedules scans so they run when your device isn’t in use. If you get behind and need to run a scan manually, Trusted Advisor will tell you.
• Online privacy helps you take a proactive stance on your privacy by hiding your IP address and blocking third-party ad trackers, making you’re harder to track on the web. Trusted Advisor monitors this so you only part with the personal information you intend to.
• Device health guards against slowdowns and other performance problems. Trusted Advisor helps you get the most out of your system so that you aren’t left guessing whether it was malware grinding your device to a halt.

Try it today

If you’re an existing Malwarebytes customer you will get Trusted Advisor automatically, but if you’re in a hurry, you can go to Settings > About > Check for updates and get it right now. If you aren’t, you can get Trusted Advisor by just download the latest version of Malwarebytes.

Last week on Malwarebytes Labs:

• Attackers demand ransoms for stolen LinkedIn accounts
• Patch now! Citrix Sharefile joins the list of actively exploited file sharing software
• Exchange Server security updates updated
• Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams
• Citrix NetScalers backdoored in widespread exploitation campaign
• Discord.io confirms theft of 760,000 members’ data
• Malvertisers up their game against researchers
• Beware malware posing as beta versions of legitimate apps, warns FBI
• PCMag ranks Malwarebytes #1 cybersecurity vendor
• Ford says it’s safe to drive its cars with a WiFi vulnerability
• 25 most popular websites vs Malwarebytes Browser Guard
• A new type of “freedom,” or, tracking children with AirTags, with Heather Kelly: Lock and Code S04E17

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability to its catalog of know exploited vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 6, 2023 to protect their networks against this active threat. We urge everyone else to take it seriously too and preferably not to wait untill the last moment.

According to the Citrix security advisory, this vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.

Citrix customers should update to the latest version of ShareFile storage zones controller and read the instructions for upgrading. As an extra precaution Citrix has blocked all customer-managed ShareFile storage zones controllers versions prior to the latest version (5.11.24). Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as CVE-2023-24489 and has a CVSS score of 9.1 out of 10. It is a cryptographic bug in Citrix ShareFile’s Storage Zones Controller, a .NET web application running under Internet Information Services (IIS). Due to errors in how ShareFile handles cryptographic operations, attackers can generate valid padding which enables unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE).

Several Proof of Concepts (PoCs) have been made available since the vulnerability was discovered in July.

This year, the Cl0p ransomware gang has made extensive use of vulnerabilities in file transfer software. In March it emerged from dormancy to become the most active gang in the world by exploiting a zero-day vulnerability in GoAnywhere MFT. After going quiet for a few months it repeated the trick in June and July as its widespread exploitation of a MOVEit Transfer zero-day vulnerability became clear.

With Cl0p seemingly looking for exactly this kind of vulnerability, it should be a no-brainer that this needs to be patched as soon as possible.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

An ongoing campaign targeting LinkedIn accounts has led to victims losing control of their accounts, or being locked out following repeated login attempts.

Whether the attackers are using brute force methods or credential stuffing isn’t known, but because some victims are being being locked out following a great number of failed attempts, you might suspect brute force methods. It’s also not unthinkable that the attackers are using a combination of attack methods. Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from breached data. In a brute force attack attackers typically try a lot of common passwords.

Either way, victims are complaining about slow response times.

The campaign is targeting LinkedIn users all over the world. It pressures the victims that have lost control of their accounts into paying a ransom to avoid having their accounts deleted by the attackers.

The X account of LinkedIn Help is swamped with similar messages

Victims are usually made aware of the take-over by a notification that the email address associated with their account has changed. In many of the examples we saw the new email address was linked to the Russian “rambler.ru” service. This does not necessarily mean the attack is originating from Russia, but it’s not unthinkable that the accounts will be used in disinformation campaigns. According to one victim we spoke to the attackers added fake accounts to their connections.

But the accounts could also be used to distribute malware, phishing campaigns, or other types of fraud. And if that’s the case, the deletion of the account sounds better to me than having your reputation damaged.

From complaints seen by BleepingComputer, LinkedIn support has not been helpful in recovering the breached accounts, with users just getting frustrated by the lack of response.

The LinkedIn Help account has pinned a message to say:

“Hey there! 👋 We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! 🙌”

The best defence against brute force attacks, credential stuffing, and other password attacks, is to set up two-step verification.

Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time. But since it’s safer than using the SMS 2FA, this is how it’s done:

• Open Settings & Privacy
• Under Sign in & security
• Select Two-step verification
• Set the option to on and you will be presented with two choices
• Choose the Authenticator app method and follow the instructions from there

You will receive an email confirming the change that tells you: From now on, you can use your authenticator app to get a verification code whenever you want to sign in from a new device or browser.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft has re-released the August 2023 Security Updates (SUs) for Exchange Server. The original release of the SUs, from August 8 2023, had a localization issue with Exchange Server running on a non-English Operating Systems (OSes) that caused Setup to stop unexpectedly, leaving Exchange services in a disabled state.

Exchange Online users are already protected from the vulnerabilities addressed by these Security Updates and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

This patch comes with a complicated table of recommended actions, in which version 1 is the original August 2023 SU and version 2 is the re-released August 2023 SU. Microsoft says:

• If you successfully installed version 1 without problems, no further action is needed.
• If you installed version 1 automatically without any problems or issues, version 2 will be downloaded automatically.
• If the installation of version 1 failed, leaving Exchange services disabled, and you restarted the Exchange services without installing version 1 again, you should install version 2.
• If the installation of version 1 failed, leaving Exchange services disabled, you restarted the Exchange services, and you used the workaround to manually create a “Network Service” account and then installed version 1, you should:
  • Uninstall version 1 and reboot.
  • Remove the manually created “Network Service” account (if it still exists).
  • Install version 2.

If version 1 was never installed, you can skip straight to version 2. Although there is no reason to suspect there are active exploits in the wild, we still recommend to do this as soon as possible to protect your environment. Exchange Servers are attractive targets for cybercriminals.

The vulnerability fixed by the security update, listed as CVE-2023-21709, required users to run a script in addition to installing the update. If you took the extra steps needed to address CVE-2023-21709 none of the actions above will undo them, so you do not have to repeat or undo them at any point. But again, if you haven’t done it yet, you should do so as soon as possible.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Fox-IT has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). Over 1900 instances were found to have a backdoor in the form of a web shell. These backdoored NetScalers can be taken over at will by an attacker, even when they have been patched and rebooted.

A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. The scripts are placed on internet-facing servers and devices so they can be reached remotely.

In July, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical unauthenticated remote code execution (RCE) vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE that the cybercriminals used to plant the backdoor is listed as:

CVE-2023-3519 (CVSS score 9.8 out of 10): a Citrix NetScaler ADC and NetScaler Gateway code injection vulnerability. The vulnerability can lead to unauthenticated RCE. It affects appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization and accounting (AAA) virtual server.

Fox-IT (in collaboration with the Dutch Institute of Vulnerability Disclosure) scanned for the web shells to identify compromised systems. As of August 14th, 1828 NetScalers remain backdoored, 1248 of those have been patched but still remain vulnerable. So, it seems that many administrators saw the need to patch for the vulnerability, but didn’t realize that patching was not enough to deal with an already established backdoor.

Several factors indicate that the biggest part of this exploitation campaign took place between late July 20th and early July 21st. Some systems have been compromised with multiple web shells. In total, the scans revealed 2491 web shells on a total of 1952 compromised NetScalers.

The campaign was likely targeted at European organizations. Of the top five affected countries, only one is located outside of Europe, in Japan. Germany alone accounts for over 500 backdoored instances.

On August 10, 2023, the DIVD started reaching out to organizations affected by the web shell. It used its already existing network and responsible disclosure methods to notify network owners and national CERTs. There is no reason to wait for such a notification however.

Prevention, detection and response

If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it as soon as possible, especially if you’re utilizing any of the following features:

• SSL VPN
• ICA Proxy
• CVPN
• RDP Proxy
• AAA virtual server

If you are not using one of these servers, we still recommend that you patch to a non-vulnerable version to prevent your appliance from becoming vulnerable when you start using one of these functions in the future.

Regardless of whether and when the patch was applied, it is recommended that you perform an Indicator of Compromise check on your NetScalers.

There are several resources available that document the in-the-wild exploitation of Citrix appliances where forensic artifacts can be found:

• https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/
• https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
• https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
• Fox-IT has provided a Python script that utilizes Dissect to perform triage on forensic images of NetScalers.

• Mandiant has provided a bash-script to check for Indicators of Compromise on live systems. Be aware that if this script is run twice, it will yield false positive results as certain searches get written into the NetScaler logs whenever the script is run.

If you find that your Citrix NetScaler has been compromised, make sure to set up a clean system from scratch, or at the very least backup/restore from a safe snapshot. But first, or from a forensic copy of both the disk and the memory of the appliance, investigate whether the backdoor has been used by the attackers. Usage of the web shell should be visible in the NetScaler access logs. If there are indications that the web shell has been used to perform unauthorized activities, it’s essential to perform a larger investigation, to see whether the adversary has successfully taken steps to move laterally from the NetScaler.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.