Month: November 2022

Citrix and Citrix ADC released patches for Citrix Gateway

Bangaly Koita 2 years ago

 

 Three Vulnerabilities have been discovered in Citrix Gateway and Citrix ADC.

The vulnerabilities are the following:

  • CVE-2022-27510 Unauthorized access to Gateway user capabilities
  • CVE-2022-27513 Remote desktop takeover via phishing
  • CVE-2022-27516 User login brute force protection functionality bypass

Be aware that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue.

The affected versions are the following:

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

The released applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.

Recommendation:

Install the relevant updated versions of Citrix ADC or Citrix Gateway.

NB: Only Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.

Why should we update our browsers?

Bangaly Koita 2 years ago

 

While you are reading this post, I know that your browser is not updated. This is because you are not aware of the impact that it might cause to your system or organization.

In October 2022, Google fixed 7 Chrome zero-day vulnerabilities exploited by threat actors.

CVE-2022-3723 

CVE-2022-1096

CVE-2022-0609

CVE-2022-2856

CVE-2022-1364

CVE-2022-2294

CVE-2022-3075

Google Chrome recommended to update the web browsers to block exploitation attempts.

In October 2022, Microsoft has released several fixes for the Microsoft Edge Stable versions.

Details:

Microsoft has released the latest Microsoft Edge Stable Channel (Version 107.0.1418.26). This update contains the fix for CVE-2022-3723, reported by the Chromium team as having an exploit in the wild.

Microsoft has also updated Microsoft Edge Extended Stable Channel (Version 106.0.1370.61), which contains the fix to CVE-2022-3723.

Microsoft has released the latest Microsoft Edge Stable Channel (Version 107.0.1418.24), which incorporates the latest Security Updates of the Chromium project.

Microsoft has released the latest Microsoft Edge Stable Channel (Version 106.0.1370.34), which incorporates the latest Security Updates of the Chromium project.

Microsoft has recommended to update to the newest version.

In March 2022, Firefox fixed 2 vulnerabilities (CVE-2022-26485 and CVE-2022-26486) under attack.

Firefox recommended to upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0 to block exploitation attempts

As we might see, the web browsers could have several vulnerabilities and also could be exploited by the threat actors to steal users’ data or data from different entities such as corporation, government and so on.

In order to avoid that, there are some recommendations to follow.

Recommendation:

Monitor your browser if there is any update information.

You could also subscribe to the security blog or webpage of the organization owning the browser so you can get information about different update issues.

Update your browser always when the update is available.

OpenSSL has patched two high severity vulnerabilities

Bangaly Koita 2 years ago

OpenSSL has released two high severity vulnerabilities within the open source OpenSSL library.

The both vulnerabilities CVE-2022-3602 and CVE-2022-3786 require a malicious X.509 certificate that has been signed by a valid certificate authority.

The first vulnerability CVE-2022-3602 - could cause a denial of service by allowing the bytes containing the character “.” (decimal 46) to be entered on the stack.

The second one CVE-2022-3786 - could cause a denial of service by allowing the attacker to craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” character (decimal 46) on the stack.

Affected version: OpenSSL versions 3.0.0 to 3.0.6.

Mitigation: OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

How to protect your data?

Bangaly Koita 2 years ago

 

The confidential data are any types of data if leaked could cause several damages to any company such as data lost, loss of reputation or a person.

Data are categorized in the following ways:

PII (Personal identifiable Information) – Consist of data such as Username and password, date of birthday, social security number, credit card number and others.

PHI (Personal Health Information) – Consist of data such as data related to human health (medical record).

Sensitive or confidential Information – Consist of data related managed by private institution, public institution, military institution or army or data that belong to a person such as personal data that could be used to blackmail someone (Pictures, message, voice call, video and others).

Financial Data - Consist of data managed by financial institution such as Banks, any institution storing financial information (Organization, Insurance companies and others)

The data are protected by regulations or standards based on the countries where the data reside such as the African Union’s Convention on Cyber Security and Personal Data Protection, GDRP, The Gramm-Leach-Bliley, HIPAA, PCI DSS and others.

 

Below, you can get some tips about how to protect your data:

Don't share confidential data sensitive data via public file transfer and storage.

Don’t put data such as password, key, source code on public GitHub or other code repositories.

Use 2FA.

Use encryption while sharing confidential data

Don't put any confidential data over social media

Don't upload file on virus total or others similar sources unless you are sure that it does not contain any confidential data

Use the hash to check the file reputation on VT

Monitor confidential data leaked on dark web or data leaked issue from source such as Havebeepwned

Monitor your key word on different social media

Perform a vulnerability assessment and patching

Perform a threat hunting to detect any threat that can be exploited

 

Les hackers sont entrain de voler le mot de passe des utilisateurs lors du process du 28 Septembre 2009 en Guinee

Bangaly Koita 2 years ago

Le monde braque sur le process du 28 Septembre 2009 en Guinee, les hackers le sont aussi.

Notre equipe a pu detecter des utilisateurs malvaillants sur des chaines Youtube   des televisions Guineenes  telles que  Djoma TV, Espace FM, FIM FM qui sont devenues des vecteurs dattaques pour les hackers.

Des liens ou domains malvaillants sont distribues sur ces chaines pour attirer lattention des utilisateurs en vue d’y cliquer .

Exemple 1

Sur la chaine Youtube de Djoma Media, des liens malvaillants partages aux utlisateurs pour voler leur mot de passe.

Sur la photo au dessus, le domain GIRLS18[.]XZY (NE PAS CLIQUER SUR LE LIEN) apres examination par notre equipe de  Cyber Threat Intelligence.

Les resultast suivants ont ete obtenus:

Le domain  a ete cree il ya 8 jours heberge sur GO DADDY.

Apres soumission du domain, VirusTotal na pas detecte le domain comme malvaillant.

Le meme domain sur URLSCAN.IO nous redirige vers un notre domain que nous pouvons apercevoir sur l’image .

Apres une analyse faite sur ce domain, nous avions obtenu plus d’information sur les techniques utilisees par les attaqueurs .

Nous pouvons voir maintenant que ce domain a ete classifie par des anti-virus comme Fortinet, Sophos et dautres  comme Phishing .

URLSCAN montre le meme resultat.

Le domain a ete classifie comme malvaillant.

 

Exemple 2 

Le second exemple  vient de la chaine Youtube de la chaine TV Espace FM.

Comme vous le voyez,  le lien  mavaillant girls69[.]xyz  (ne pas cliquer sur le lien) a ete partage (Jespere que les utilisateurs nont pas clique 😊).

 

Les meme techniques et meme indicators ont ete trouves.

Le domain a ete cree il ya 6 jours.

Virustotal  resultat  RAS

Notre grand ami URLSCAN nous revele que le domain est redirige vers le meme domain que le cas precedant.

Le Meme domain produit le meme resultat.

Nous voyons que les meme bandits causent les meme effets 😊.

A ce effet nous pouvons conclure que les auteurs ont pour objectif de voler les information personels des utilisateurs et sy possible aussi installer un fichier malvaillant pour dautres objectifs.

Soyez virgillants mes chers auditeurs.

 

Recommendations:

Ne jamais cliquer sur un lien que vous ne connaissez pas.

Verifiez le lien sur Virustotal comme on vous a montre dans nos exemples.

Utilisez 2FA sur vos comptes Youtube, Facebook, Instagram et autres.

Ne jamais utilizer les meme mots de passes sur different comptes.

Ne jamais partager vos information personnelles le mot de passe, email addresse, date de naissance publiquement.

 

How to find different domains mimicking your brand?

Bangaly Koita 2 years ago

Nowadays, the threat actors are using different technics to steal users PII (personal identifiable information).

One of the easiest ways of doing that is to create a fake web page that looks like a well-known webpage such as Facebook, Twitter, YouTube, Instagram, LinkedIn, Netflix and others services (Banks, gaming platforms etc.)

Let’s give some example:

URLscan URL and website scanner - urlscan.io

Is a well-known URL and website scanner used by most of security professional

The examples below, will teach us about how to find the website mimicking our brands.

1 – Netflix brand mimicking by threat actors to steal users credentials

The first to do is to connect to type the domain “netflix.com”  - www.netflix.com - urlscan.io

Next, go to “HTPPtransaction”, click on the “image” button

Now, you need to expand the image view and  click on “Show image”

Once clicked, you will see the image

As we can see the image now, if you want to find other webpages with the same image, follow the next steps.

Click right on the “Hash” Of the image and “choose open on the new tab “

You will get the following page

Scroll down the page, you will find some domains different from the one we submitted which is the legitimate one

Open in the new tab the domain that are different from the legitimate one (Netflix.com)

Now as you can see, we found some domains malicious domains mimicking Netflix.com.

You can use the same technic for your brand or organization.

Recommendation

Check the URL or the domain before connecting to a domain

Use 2FA for your login

Use different password for different account

Use a platform like Virus Total to check the domain if you are not sure before connection

You may have missed

Windows files system you should never whitelist in your environment

Bangaly Koita 3 weeks ago

New update in URLSCAN to detect malicious domains

Bangaly Koita 3 months ago

How to securely open a file

Bangaly Koita 8 months ago

Payoutproject[.]com the biggest scam ever on social media Facebook, twitter, TikTok, Instagram

Bangaly Koita 10 months ago

How to use a proxy server for free over the internet

Bangaly Koita 10 months ago