Media Coverage

The Qakbot botnet has been disrupted by an international law enforcement operation that culminated last weekend, when infected computers started getting untethered from it by specially crafted FBI software. 

The FBI used a computer they control to instruct Tier 1 servers to download and install an FBI-created module that contains a new encryption key, to sever the communication between the Qakbot administrators and the Tier 1 servers and establish communication to an FBI-controlled server. From that server, an additional program is downloaded that uninstalls the Qakbot malware and gathers the computer’s IP address and associated routing information so that the FBI can get in touch with Qakbot victims. 

The list of IPs has been shared with organizations such as The Spamhaus Project, which will notify email service providers and hosting companies responsible for compromised accounts so they can reset the passwords on those accounts, and the Shadowserver Foundation, which will send a report to national computer security incident response team (CSIRTs) and network owners, to help them notify any remaining victims and help them deal with the other malware delivered by Qakbot.

Citrix NetScaler ADC and NetScaler Gateway are at heightened risk of opportunistic attacks by a ransomware group likely linked to the financially motivated FIN8 threat actor. NetScaler products are popular attacker targets because of the highly privileged access they provide to targeted networks. Many organizations have deployed gateway technologies like these to enable secure access to enterprise applications and data for remote workers.

The critical code injection vulnerability is being tracked as CVE-2023-3519 and affects multiple versions of Citrix’ application delivery, load balancing, and remote access technologies.

On Aug. 7, the nonprofit Shadowserver Foundation, which tracks and monitors malicious Internet activity, said it had identified at least three separate campaigns targeting CVE-2023-3519. Two of the campaigns involved the threat actor dropping a PHP Web shell on a vulnerable host, while the third involved the attacker executing malicious commands at the root level via a Web shell. The Foundation said its telemetry showed at least 7,000 NetScaler hosts worldwide as being vulnerable to exploit at the time.

US investigators say they’ve dealt a serious blow to the ransomware scourge by taking down a notorious botnet known as Qakbot.  On Tuesday, the Justice Department and FBI announced they had dismantled Qakbot by securing a search warrant to essentially hijack the servers that controlled the botnet. Federal agents then forced the botnet to circulate an uninstaller to thousands of computers infected with Qakbot, removing the malicious program.

During their investigation, federal agents noticed Qakbot controlling 700,000 infected computers, about 200,000 of which were based in the US.

Qakbot, also known as Qbot, first began as a Windows-based Trojan designed to steal access to users’ bank account information when it was first spotted around 2008. It can typically spread through malicious attachments in phishing emails.

Another 6.5 million stolen login credentials from victims was also uncovered. “The FBI has partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation,” the agency added.

Exploitation of the recently disclosed Ivanti Endpoint Manager Mobile (EPMM) vulnerability has started to pick up, just as the vendor announced the discovery of a new flaw. The EPMM zero-day tracked as CVE-2023-35078, which allows an unauthenticated attacker to obtain sensitive information and make changes to the targeted system, was exploited in attacks aimed at the Norwegian government since at least April 2023. While initially the flaw was only exploited in targeted attacks, threat intelligence firm GreyNoise started seeing exploitation attempts from dozens of unique IP addresses on July 31. The company has seen attacks coming from a total of 75 IPs. The ShadowServer Foundation reports that there are still roughly 700 internet-exposed instances of the mobile management software that are vulnerable to attacks. In the attacks exploiting CVE-2023-35078, threat actors also leveraged a different EPMM security hole, CVE-2023-35081, to upload webshells on the device and run commands.

Hundreds of Citrix Netscaler ADC and Gateway servers have already been compromised and backdoored in a series of attacks targeting a critical Remote Code Execution (RCE) vulnerability identified as CVE-2023-3519. The vulnerability was previously exploited as a zero-day to breach the network of a US critical infrastructure agency.

Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to strengthening internet security, have now revealed that the attackers deployed web shells on at least 640 Citrix servers in these attacks.

Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The largest number of impacted IP addresses are based in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023.

Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an “extremely severe” flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. “An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on,” Metabase said in an advisory released last week. While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023. A majority of the instances are located in the U.S., India, Germany, France, the U.K., Brazil, and Australia.

Ivanti ‘s mobile device management software EPMM(Endpoint manager mobile), aka Mobile iron core version lower than 11.8.1.0, was impacted by the actively exploited zero-day vulnerability.  On Sunday, the company released the security patches for the remote unauthenticated API access vulnerability tracked as CVE-2023-35078. Ivanti is an asset management software system used to remotely inventory and manage desktop computers.  It has the ability to report on installed software and hardware, allow remote assistance, and install security patches. If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week warned of cyber attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting recently discovered zero-day CVE-2023-3519. The Agency states that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization. Citrix this week warned customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild. The U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems. Researchers from the non-profit organization Shadowserver Foundation this week reported that at least 15,000 Citrix servers were exposed to CVE-2023-3519 attacks based on their version information. Most of the servers are located in the United States and Germany.

Thousands of Citrix Netscaler ADC and Gateway servers exposed online are vulnerable to attacks exploiting a critical remote code execution (RCE) bug that was previously abused in the wild as a zero-day. Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, revealed this week that at least 15,000 appliances were identified as exposed to attacks leveraging the flaw (CVE-2023-3519) based on their version information. “We tag all IPs where we see a version hash in a Citrix instance. This is due fact that Citrix has removed version hash information in recent revisions,” Shadowserver said. “Thus safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.” They also noted that they’re also undercounting since some revisions known to be vulnerable but with no version hashes have not been tagged and added to the total number of exposed Citrix servers. Citrix released security updates to address this RCE vulnerability on July 18th, saying that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and urging customers to install the patches as soon as possible. The company added that unpatched Netscaler appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (the so-called AAA server) to be vulnerable to attacks. The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.