Citrix issues alerts for actively exploited zero-day vulnerabilities

SISA Weekly Threat Watch 22 January, 2024

In the past week, the cybersecurity landscape witnessed a surge in sophisticated threats, including targeted cryptocurrency miner deployments exploiting Apache misconfigurations, the evolution of Medusa ransomware into a multi-extortion tactic, Juniper Networks addressing critical vulnerabilities, SonicWall firewalls potentially vulnerable to exploits, and Citrix alerting users to two actively exploited zero-days. These incidents underscore the escalating complexity and diversity of cyber threats, emphasizing the significance of implementing robust security measures, prompt updates, and comprehensive mitigation strategies in the face of evolving risks. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. Attackers exploit Apache Hadoop and Flink using rootkits to deploy crypto miners

Security experts have uncovered a sophisticated attack leveraging misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners. This method employs packers and rootkits to conceal malware presence, specifically targeting misconfigurations in Apache Hadoop’s YARN Resource Manager and Apache Flink applications. Exploiting a YARN misconfiguration, the attacker executes arbitrary code through an unauthenticated HTTP request, gaining privileges on the affected node. Similar attacks on Apache Flink allow remote code execution without authentication.  

Notably, these attacks incorporate rootkits to mask crypto mining processes post-compromise. The attacker deploys a new application through an unauthenticated request, executing a payload that downloads rootkits and a Monero miner. To enhance defenses, experts recommend network segmentation, behavioral analysis tools, application whitelisting, and advanced rootkit detection mechanisms. 

2. Citrix alerts users to act against 2 new actively exploited zero-days in Netscaler

Citrix has issued an urgent advisory urging users to promptly apply patches for two zero-day vulnerabilities, CVE-2023-6548 and CVE-2023-6549, affecting Netscaler ADC and Gateway appliances accessible online. The vulnerabilities in the Netscaler management interface pose serious risks, allowing potential remote code execution and denial-of-service attacks. CVE-2023-6548 enables authenticated low-privileged remote code execution, while CVE-2023-6549 involves a Denial of Service (DoS) issue.  

Immediate action is crucial for users to mitigate these security threats, including applying patches, segregating management interface traffic, and blocking network traffic to affected instances. As of now, slightly over 1,500 Netscaler management interfaces are exposed on the Internet, highlighting the urgency of addressing these vulnerabilities. 

3. Juniper Networks addresses critical RCE vulnerability in SRX firewalls and EX switches

Juniper Networks has swiftly addressed a critical remote code execution (RCE) vulnerability affecting its SRX Series firewalls and EX Series switches, alongside another high-severity bug (CVE-2024-21611, CVSS score: 7.5) in Junos OS and Junos OS Evolved. The RCE flaw poses a significant risk, allowing unauthenticated attackers to execute remote code, trigger a Denial-of-Service (DoS), and gain root privileges.  

Simultaneously, a critical out-of-bounds write vulnerability in J-Web of Junos OS SRX Series and EX Series could enable network-based attackers to initiate DoS or RCE, potentially leading to root privilege escalation. Users are strongly urged to promptly apply the updates for mitigation, and as interim measures, Juniper recommends disabling J-Web or restricting access to trusted hosts to prevent potential risks associated with the identified vulnerabilities.

4. Medusa ransomware’s evolution into multi-extortion tactic

The Medusa ransomware group has intensified its activities with the introduction of a dedicated dark web data leak site in February 2023, targeting organizations across diverse sectors. Medusa employs a multifaceted extortion strategy, offering victims choices like time extension, data deletion, or complete download with specific financial demands. Exploiting vulnerabilities in internet-facing assets and utilizing initial access brokers, the group employs living-off-the-land techniques to blend with legitimate activities and evade detection. The ransomware encrypts files, excluding specific extensions, while the leak site displays details, ransom amounts, and countdowns for public data release.  

The group’s strategic shift involves leveraging a media team and a public Telegram channel for sharing compromised files, emphasizing the professionalization and commoditization of ransomware operations. To defend against such threats, organizations are advised to implement advanced endpoint protection, robust backup practices, comprehensive disaster recovery plans, and a zero-trust security model. 

5. Over 178,000 SonicWall firewalls potentially vulnerable to exploits

Over 178,000 SonicWall next-generation firewalls (NGFW) face security risks due to exposed online management interfaces, making them vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks. Security researchers conducted scans revealing that 76% of the scanned SonicWall firewalls are susceptible to identified vulnerabilities (CVE-2022-22274 and CVE-2023-0656) 

These vulnerabilities, stemming from the same underlying issue, could lead to DoS and, in the case of CVE-2022-22274, potential code execution by remote, unauthenticated attackers. While the SonicWall Product Security Incident Response Team (PSIRT) has not reported exploits in the wild, administrators are strongly advised to isolate the management interface, update firmware promptly, and conduct thorough vulnerability assessments to mitigate potential risks associated with these vulnerabilities. 

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider