Blog: IT Security Alerts

CoNetrix strongly recommends all organizations implement the appropriate updates or mitigation measures for this confirmed vulnerability. CoNetrix has installed updates or implemented the mitigation steps for all affected CoNetrix Technology and Aspire customers.

On December 17, 2019, Citrix announced a directory traversal vulnerability in the Citrix Application Delivery Controller (formerly NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) products. If exploited, this vulnerability could allow an unauthenticated attacker to perform arbitrary code execution. This is similar to the Fortigate vulnerability in 2019.

Citrix Security Bulletin: https://support.citrix.com/article/CTX267027, including information about updates to address this vulnerability.

If you cannot install the updates, Citrix has provided some configuration changes that mitigate the issue: https://support.citrix.com/article/CTX267679

How to Quickly Check for this Vulnerability

CoNetrix Security penetration testers were able to confirm the vulnerability by checking the response when browsing to a specific URL (https:// <IP address> /vpn/../vpns/cfg/smb.conf). If you perform the same action and are able to read the smb.conf file, this is confirmation that your system is vulnerable. If the mitigation is in place you will receive a 403 Forbidden error (or potentially some other error message). Also, CoNetrix Technology engineers discovered IDS/IPS signatures for this exploit, but they were not set to 'block' by default by the IDS/IPS vendor.

How to Mitigate this Vulnerability

This is being actively exploited in the wild, so we encourage you to install the fixed versions or apply the recommended mitigation steps as quickly as possible.

Steps to Take Post-Mitigation

Remember, it is important to validate the mitigation is working as expected after applying the configuration.

Citrix and FireEye have developed a scanner to detect if your NetScaler installation has been compromised: https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/

Once the mitigation steps have been implemented, here are a few addtional action items: 

  1. Review the systems active processes and connections to the Internet.
  2. Work with Citrix to review system logs for any potentially suspicious connections attempts.
  3. Work with your IDS and/or firewall vendor to review any potentially suspicious connections attempts.
  4. Check for newly created XML files in the /netscaler/portal/ /var/tmp/netscaler/portal/ directories and sub-directories.
  5. Search for and review any newly created files or scripts. Some exploit intel has indicated Perl scripts being added to the /netscaler/portal/scripts/ directory.
  6. Look for any CRON jobs that have been added to provide an attacker persistence even after the vulnerability is patched.

CoNetrix has installed the update for all CoNetrix Technology and Aspire customers. CoNetrix Security has reviewed data collected during penetration tests from the previous year and notified customers that had this vulnerability. If you are not a CoNetrix customer and would like additional information or assistance with implementing these mitigation steps, we encourage you to contact us.


 

On May 24, 2019, Fortinet published an advisory stating that certain versions of their FortiOS software are vulnerable to a path traversal attack which allows an attacker to download system files through specially crafted HTTP requests. The vulnerability is only present when the SSL VPN service is enabled – either web-mode or tunnel-mode. The vulnerable FortiOS versions and the corresponding patched versions are:

  • FortiOS 6.0.0 to 6.0.4
    • Patched version: 6.0.5 or above
  • FortiOS 5.6.3 to 5.6.7
    • Patched version: 5.6.8 or above
  • FortiOS 5.4.6 to 5.4.12
    • Patched version: 5.4.13 (upcoming)

CoNetrix Security Penetration Test engineers have confirmed this vulnerability can be used to download usernames and passwords from FortiGate devices. The usernames and passwords can then be used to establish an SSL VPN connection which would give an attacker access to internal networks and systems.

CoNetrix strongly recommends all customers ensure the patched versions of FortiOS listed above are installed on all Fortinet devices that have the SSL VPN service enabled.

CoNetrix Technology customers with managed service agreements have already been updated to the FortiOS version to protect against the vulnerability.

References:
https://fortiguard.com/psirt/FG-IR-18-384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379


 

A report of two new vulnerabilities named Meltdown and Spectre was published last Wednesday, January 3, 2018. It is a big deal because they are hardware vulnerabilities affecting pretty much everything with a silicon chip. Yes, this means microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Currently, mitigation and recommended processes are in flux. New information, articles, and white papers have emerged daily over the last week. As you research these concerns, be sure you are referencing reputable sources and the information is up-to-date.

For now, the tricky part is that some of the early updates aimed at mitigating the vulnerabilities have yielded incompatibilities which might leave systems inoperable. (The fix might break things.) Please be cautious. Verify and test updates before installation.

The Vulnerabilities

If exploited, both vulnerabilities, which are classified as speculative execution vulnerabilities, allow unauthorized access to protected areas of memory which could allow an attacker to collect sensitive information such as passwords and nonpublic customer information.

  • Meltdown - allows unauthorized access to memory, including protected kernel memory. Affects almost all Intel processors manufactured since 1995 and some ARM processors.
  • Spectre - allows unauthorized access to memory used by other computer processes. Affects almost all processors. It has been verified on Intel, AMD, and ARM processors.

Mitigation

As the IT industry moves to mitigate these vulnerabilities, incompatibilities which can render systems unusable have occurred. It is of utmost importance to verify and test updates before installation. Prudently pursue and ensure the following security processes are working effectively within your organization (these are already standard elements of strong security cultures):

  • Installation of security software updates - antivirus software, endpoint security software, etc.
  • Installation of operating system (OS) updates - Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.
  • Installation of web browser updates - Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.
  • Installation of firmware updates for microprocessors - BIOS updates issued by computer system manufactures - Dell, Lenovo, HP, Apple, etc.
  • Prevention of malicious code execution - website blocking, website ad-blocking, phishing detection, security awareness training for users (how to spot malicious emails, not to click on links in emails), etc.

Exploits of these vulnerabilities are likely to change over time and the controls issued by hardware and software manufactures are likely to change as well. Therefore, it will be important to ensure updates are installed regularly.

 

Additional information provided by the researchers who discovered both vulnerabilities can be found at https://meltdownattack.com/.


 

The Equifax data breach announced yesterday potentially affects 143 million U.S. consumers and is one of the largest breaches of personal information. The following steps can be taken by consumers to help protect against fraud and identity theft:

  1. Enroll in the free security services offered by Equifax - https://trustedidpremier.com/eligibility/eligibility.html
  2. Place a security freeze on your credit file with each of the credit bureaus
  3. Monitor your financial accounts for unauthorized activity and report unauthorized activity immediately
  4. Obtain a copy of your credit report, review it for unauthorized activity, and report unauthorized activity immediately - www.annualcreditreport.com
  5. Set up alerts on your debit and credit accounts to notify you of transactions, changes to your account, or other alerts offered by your financial institution

Additional details:

 The credit reporting bureau, Equifax, reported yesterday that they have been compromised. Non-public information affecting potentially 143 million U.S. consumers was stolen, primarily consisting of names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers. Additionally, credit card numbers for approx. 209,000 U.S. consumers and dispute documents for approx. 182,000 U.S. consumers were accessed. Further details from Equifax can be found here:

For information from a source independent of Equifax, Brian Krebs' coverage can be found here - https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/.

Additional information about the steps consumers can take to protect against fraud and identity theft:

  • Placing a security freeze on your credit file with the four major credit bureaus (Equifax, Experian, Trans Union, Innovis) may have associated fees depending on which state the consumer lives in. Also, some states require the freeze to expire after a specified amount of time.
  • NOTE - A security freeze will also prevent the consumer from opening new lines of credit (a new credit card, new loan, etc.) unless the consumer first removes the security freeze. Fees may be associated with removing the freeze. Here are some resources:
  • Here are links to the credit bureau websites:
  • By law, you can get a free copy of your credit report every 12 months at www.annualcreditreport.com
  • Each financial institution has different services and alerts available for debit and credit accounts. Consumers should check with their institution for details. Examples of alerts that can be useful include notification of transactions over a specific threshold (e.g. over $100), transactions originating outside the US, and changes to the consumer's account profile (e.g. password change).

 

An outbreak of the WCry (also known as WannaCry/WanaCrypt0r) ransomware began to be reported May 12, 2017. The attack was worldwide and deemed by some as “the biggest ransomware outbreak in history.”

The goal of the attack, like all ransomware, is to encrypt computer files making them unavailable to the computer user. A payment is required to get the key which unlocks the files.

The ransomware was discovered in early February 2017, but was recently updated and began spreading quickly. It is delivered via a phishing email. When downloaded it exploits an SMB vulnerability (Small Message Block is a file sharing protocol used by Windows operating systems). The vulnerability was addressed in March 2017 by Microsoft Security Bulletin MS17-010. WCry will use unpatched SMB to spread payloads to vulnerable machines on the same network and to randomly choose IP addresses on external networks.

If Windows systems are patched, in accordance with MS17-010, the SMB vulnerability is resolved and the systems are not vulnerable. 

CoNetrix Technology customers with Network Advantage managed service agreements were automatically updated in March 2017 when this patch was initially released.

CoNetrix recommends that all customers verify this update is installed as soon as possible.

 


 

 

 

CoNetrix Website | Contact Information

Cisco Hardware Issue with Clock Signal Component

 

On February 2, Cisco released information about an issue affecting many of their hardware systems. This issue may cause eventual hardware failure on specific models and hardware versions after 18 months or longer.

The most common affected systems include ASA 5506, 5508, 5516 firewalls, and 4321, 4331, and 4351 routers.

Details about the issue with a complete list of affected hardware is available at http://www.cisco.com/c/en/us/support/web/clock-signal.html. The "Field Notices" tab contains links to the specific hardware.

For CoNetrix Technology customers, we are currently reviewing all documentation to determine those customers with affected hardware. We will contact those customers when additional action is needed.

Other CoNetrix customers should review their installed Cisco hardware or contact their IT service provider as soon as possible.

CoNetrix Technology customers can contact Support at 806-687-8600 or support@conetrix.com with any questions or concerns.

 

 

 


 

Researchers have reported a critical vulnerability in recent versions of OpenSSL which is used to secure numerous websites. This vulnerability has been assigned CVE identifier CVE-2014-0160 and is also known as the “Heartbleed Bug.” Exploitation can expose a website's secret keys, usernames and passwords of site users as well as other confidential information. [more]

This affects systems using OpenSSL versions 1.0.1 through 1.0.1f. Note this also includes numerous appliances used to terminate SSL connections used in Virtual Private Networks, secure email solutions, etc. Thus, even if you are only using unaffected Microsoft web servers, you may need to address these other types of appliances and embedded systems.

The Qualys SSL Labs scanning service available at https://www.ssllabs.com/ssltest/ can be used to determine if a particular site exhibits this vulnerability.

Additional information is available at http://heartbleed.com.

We recommend you work with appropriate vendors to identify vulnerable systems and apply the appropriate patches as soon as possible.


 

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

 

I have received 4 or 5 email this week from a phishing scam that claims that one of my ACH transactions was recently cancelled. These emails are getting through the filters and landing in my Inbox. If you or anyone you know gets an email similar to the one below, delete it. I have modified the link in the email below so it won’t work, but you can still see where it was trying to go.

One indication the emails are fake – they purport to come from NACHA, the National ACH Association. However, NACHA does not deal directly with consumers or individual transactions.

If you know someone who works with payroll, purchasing, paying bills, etc., you should warn them about these emails. They are targeting people who work with online ACH transactions. Imagine the horror if the person responsible for payroll at a company received an email saying, “ACH Payroll Cancelled”. They would be very likely to click on the link first and think about security later. [more]

From: admin@nacha.org 
Sent: Friday, September 16, 2011 8:07 AM
To: You
Subject: ACH Payroll Cancelled

 
The ACH Payroll transaction (ID: 2150243623890),
recently initiated from your operating account (by your company), was rejected by the other financial institution.


Cancelled transaction

Transaction ID: 2150243623890
Reason for rejection: See details in the report below
Transaction Report: report_2150243623890.pdf.zip (self-extracting archive, Adobe PDF)

Note:
If you are sure that this email was delivered to you by mistake, please redirect it to your director or accountant.


..
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association