Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Kroll

Two Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway

Two vulnerabilities have been detected in in Citrix NetScaler ADC and NetScaler Gateway. These vulnerabilities are being tracked as CVE-2023-6549 and CVE-2023-6548 with CVSS scores of 8.2 and 5.5 respectively. They are under active exploitation, affecting the following product versions.

Open the DARKGATE - Brute Forcing DARKGATE Encodings

DARKGATE is Windows-based malware that is sold on the dark web. DARKGATE is a fully functional backdoor that can steal browser information, drop additional payloads, and steal keystrokes. Kroll previously noted DARKGATE’s distribution via Teams. When the DARKGATE payload runs on a victim system, it creates a randomly named folder within C:\ProgramData that contains encoded files. Within the randomly named folder is a short configuration file and the output of keystrokes logged on the system.

How to Use: MITRE ATT&CK Detection Maturity Assessment Tool

Bharath Kashyap helped create a lightweight, programmatic approach to performing a maturity assessment using free MITRE tools (like ATT&CK framework, D3FEND, and MITRE Centre for Threat Informed Defense (CTID)) to provide a starting point for you to understand your organization’s coverage against the framework, identify areas for improvement and prioritize them for implementation. In this video, Bharath walks through a few ways to make the assessment tool work for your organization.

Two Zero-Day Vulnerabilities Impacting Ivanti Connect Secure and Policy Secure Gateways

Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog. Two zero-day vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways.

CVE-2023-39336: Remote Code Execution Vulnerability Found in Ivanti EPM

Ivanti released a patch for a critical vulnerability discovered in Ivanti Endpoint Manager (EPM) that could allow for remote code execution (RCE). This vulnerability is being tracked as CVE-2023-39336 with a CVSS score of 9.6 (Critical), which is not yet actively exploited. All versions of Ivanti EPM prior to Service Update 5 are impacted. Ivanti credits security researcher hir0t for the responsible disclosure.