Impressive #infosec research by #Qualys: Their Threat Research Unit (TRU) has discovered a remote code execution #RCE vulnerability in #OpenSSH’s ssh-agent allowing someone on the remote server to execute code on the local host of an #SSH-connected user with agent forwarding enabled.
Detailed technical description: https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
Summary: Seems only to work on #Linux, needs non-standard but distro-shipped shared libs to be installed.
There's an RCE in #openssh. Don't panic, it only affects agent forwarding (you're not doing that, right?)
The exploit is really interesting though, and the technical writeup is extremely well written. I recommend reading it, but I'll put a summary below.
YOU MUST ONLY READ THE OFFICIAL BLOGS
there is no breach
there is no vulnerability
there are no zero days
🚨 patch Citrix Netscaler, Gateway and AAA vuln CVE-2023-3519 as a priority 🚨
It’s now easy to exploit, technical details are out there publicly. Expect ransomware gangs in coming months.
It dates back to 2015 and is very widely deployed in enterprise. From gentle scanning, most orgs haven’t patched (and many are on EOL versions).
"🚨Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action🚨"
CISA warns of a critical security flaw in Citrix NetScaler ADC and Gateway devices being exploited to drop web shells on vulnerable systems. Immediate action is advised!🔒💻
Source: [The Hacker News](https://thehackernews.com/2023/07/citrix-netscaler-adc-and-gateway.html)
22 ANNI FA
Genova 2001, noi non dimentichiamo!
So, what are your favorite InfoSec browser plugins?
Mine is definitely ThreatPinch by Cloudtracer. There's simply nothing more useful for quickly assessing all sorts of on-screen Indicators of Compromise (IoCs) such as IPv4 addresses, MD5 hashes, SHA2 hashes, CVE identifiers, and Fully Qualified Domain Names (FQDNs). Plus, the 'copy results' option allows you to document everything without much hassle.
[ThreatPinch Lookup](https://chrome.google.com/webstore/detail/threatpinch-lookup/ljdgplocfnmnofbhpkjclbefmjoikgke?hl=en) is a Chrome extension that provides threat intelligence hover tooltips.
The results are kept local, and it works right out of the box. However, the returned data and sources can be tweaked to your liking. What's not to love?!
The extension works by integrating with any REST API, allowing you to add your own threat intelligence IoCs. This makes it a versatile tool for cybersecurity professionals who need to quickly assess potential threats without leaving their browser.
Please note that the effectiveness of this tool is dependent on the quality of the threat intelligence sources you connect it to.
For more information, you can check out the [ThreatPinch Github](https://github.com/cloudtracer/ThreatPinchLookup/blob/master/README.md) page.
So... whats yours?
Now sharing info on likely CVE-2023-3519 vulnerable Citrix ADC/Gateway instances in our Vulnerable HTTP report: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
CVE-2023-3519 is an Unauthenticated remote code execution with a CVSS score of 9.8: https://nvd.nist.gov/vuln/detail/CVE-2023-3519
At least 11170 unique IPs found, most in the US (4.1K)
We tag all IPs we where we see a version hash in a Citrix instance. This is due fact that Citrix has removed version hash information in recent revisions, including the most recent one with the patch for CVE-2023-3519.. Thus it is safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.
(this also means we are undercounting the actual vulnerable numbers).
well, this was an unexpected morning. my company just announced that it will be closing at the end of the month and everyone will be terminated.
on a personal level, i’m 9 months pregnant and scheduled for a c-section in less than a week, which puts me in a tough spot as i know i’m gonna have to take “leave” time.
One of the abilities you lose when you move your entire operation to a cloud provider is "the simple ability to read the logs to tell if someone is attacking you or not"
if you cant tell you're being attacked, you cant respond, and you wont know you got broken into until AFTER they break in.
sorta defeats the purpose, doesnt it.
Lunedì 17 Luglio - Warmup Hackmeeting 2023
dalle ore 18
Scaletta (in aggiornamento):
+ ore 18:30 – 19:30 Lab Elettro Art Attack
La Fast Fashion ti stufa? Le collane con il simbolo dell’infinito non fanno per te? Vieni al laboratorio Elettro Art Attack e fatti i tuoi gioiellini con pezzi di schede elettroniche, tastiere e della resina!
NB: le creazioni saranno “solide” il giorno successivo e recuperabili in un altro momento in hacklab o dove si concorda.
+ ore 19:30
+ ore 21:00
Presentazione del libro CryptoBluff by Ginox, Eris Edizioni
Prontuario critico all’effimero mondo delle criptovalute
Tutto a cura di HacklabBo.
Un grazie al circolo che ci ospita @berneri
In Italy, we have an expression when someone is telling something stupid, false, hypocritical, or fascist and you want just to shut up them: "stocazzo". For example, right-wing cries every day due to cancel culture, and then they censure books, so you can say "Cancel culture stocazzo"
La limpida lotta nonviolenta del tassista bolognese Roberto Mantovani, che ha affondato il coltello della verità nella piaga purulenta di una categoria professionale dove gli evasori fiscali si sentivano al sicuro fino a quando lui non ha reso pubbliche le sue entrate quotidiane. Fate girare, perché se resta solo è più esposto e più a rischio. Ci vuole una chiara sanzione morale da parte di tutti.
NEW: A month after disclosing the data breach it suffered, Western Digital confirms hackers stole customer data.
This includes names, billing and shipping addresses, email addresses and telephone numbers, and “passwords and partial credit card numbers.”
The good news is that the data encrypted, hashed, and salted.
Small showcase of Velociraptor for threat hunting, digital forensics and incident response! This video demonstrates getting a server and client set up in standalone mode, run some commands and create our first hunt. https://youtu.be/S8POUZv7pT8
Thanks to @BHinfosecurity @Antisy_Training & @strandjs for sponsoring this video! This lab is from their FREE labs of their Pay What You Can courses -- they're starting a Cyber Deception course -- join at any price affordable for you! https://j-h.io/pwyc
Congress is trying to outlaw end-to-end encryption again and it's time to take action. Tell your rep. to vote against the STOP CSAM Act.