At the beginning of July, an attacker advertised a zero-day vulnerability for Citrix ADC. However, due to a lack of information, the company held off on addressing the attacker’s post. Today, Citrix is alerting the public of a critical-severity vulnerability that affects NetScaler ADC and NetScaler Gateway and which is believed to be related to the attacker advertisement in early July. Citrix has already released new software updates for the three vulnerabilities that were in the wild before Citrix communicated about the zero-day. CVE-2023-3519 is the most severe vulnerability, with a score of 9.8 out of 10. This code can be executed by the attacker at any time without providing any authentication. In other words, the attacker configured the infected device as a gateway or an authentication virtual server to utilize the software’s security tools. Vulnerability CVE-2023-3466 has a severity score of 8.3 and stems from an issue in the company’s cross-site scripting (XSS). Exploitation will occur if a user receives a malicious URL from an attacker (where they are on the same network) and inputs it into the browser. The last vulnerability, CVE-2023-3467, has a severity score of 8. This issue enables attackers to alter and upgrade administrator privileges.
The following are the recent versions to patch the zero-day:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and any more recent releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of
The Artifact Registry is Google’s storehouse for all hosting software assets. Last month, Google was notified about the vulnerability in its storehouse and provided a patch; however, according to researchers, the flaw is still present, and attackers can modify the registry images and insert malware, launch denial-of-service attacks, steal data, and more. The flaw, named Bad.Build by researchers, can impact customers once they download the malware-hidden photos. The increased concern stems from MOVEit supply chain attacks and witnessing firsthand the extent of the damage it has caused. However, researchers think the flaw actually revolves around audit logs with the Google Cloud Build service and is a design flaw. Attackers could gain access to all of Google Cloud’s accounts and project permissions by mimicking a cloudbuild.builds.create account.
Google’s June fix patched the logging permission on Google Cloud Build, preventing attackers from accessing audit logs and having access to all projects. Still, the Google cloudbuild.builds.create permission remains vulnerable. When cloud build is integrated into a project, it automatically creates a service account to help the user build their project. In the June update, Google disabled the ability to access user logs from the cloud service. Google is aware of the severity of supply chain attacks and is currently working to fully eliminate the risk.
Spyware vendors Cytrox and Intellexa have been blacklisted from the United States by the Biden administration. These two malicious companies are responsible for creating privacy and security vulnerabilities for individuals and organizations around the globe. The two are trafficking exploits to grant access to information systems. Both have been deploying successful cyberattacks on Apple and Android devices that have been worth millions. Cytox has been known for placing eavesdropping malware on lawmakers’ phones with malicious single-click links sent from the popular messaging app WhatsApp.
Microsoft announced this week that in September they will modify their software’s licensing due to an increase in malware attacks. The new changes will enable lower-tier M365 customers to access the essential cloud security log defaults for free. Microsoft’s sudden change stemmed from the U.S. government’s cybersecurity agency’s (CISA) discovery this week that a Chinese threat group was targeting government officials and agencies. After officials became aware of the attack, CISA recognized that Microsoft’s system was not accessible for lower-tier M365 licenses. Additionally, Microsoft acknowledged this week that the Chinese hackers used a stolen Azure AD sign-in key to forge authentication tokens to reach M365 users’ inboxes. The Chinese attack hit 25 firms. The primary obstacle arose when M365 clients were unable to investigate due to a lack of upgraded E5/G5 licenses. Microsoft is now altering its licensing to provide users with more data visibility. In an effort to resolve concerns, more thorough log data will be added, and the retention period for forensics data for Audit Standard customers will be extended from 90 to 180 days.
U.S. cybersecurity and intelligence agencies released new recommendations intended to better secure 5G networks. CISA and the NSA acknowledge that the 5G threat landscape has become increasingly dynamic and vulnerable to bad actors, particularly in regard to network slicing. Network slicing allows providers to partition their networks to serve different user types; however, the architecture could expose users to a range of attacks, including denial of service, jamming, identity theft, and adversary-in-the-middle attacks. The agencies’ latest guidelines build on recommendations released in December 2022, which also warned users that the architecture model could be susceptible to attackers.
The most recent recommendation focuses on three prominent vectors: signaling plane attacks, misconfiguration attacks, and adversary-in-the-middle attacks. Agencies are guiding users to adopt a zero-trust architecture in order to better secure their networks.