Attackers are exploiting zero-days faster, Citrix vulnerability, and SEO poisoning attack.
In a recent report, Microsoft details some unfortunate news: attackers are getting faster at exploiting publicly disclosed security flaws. On average, exploitation is being observed 14 days after a vulnerability is made public. With time, the risk of exploitation also increases due to a process called “commoditization,” where an exploit is created and then sold to other cybercriminals. Since exploit development is a highly technical endeavor, Microsoft details how the most resource-rich adversaries (including nation states) are often first to the punch. However, now that the hard work is done, less technical cybercriminals obtain the exploits that are now trivial to deploy. A previous Unit 42 report revealed that threat actors are sometimes able to scan for suitable victims within minutes of a vulnerability being disclosed. Combining suitable victims with ready-made exploit code is bad news for unpatched organizations.
Say what you will about cybercriminals, but they are often efficient. Yet many organizations lag far behind in their defensive security posture. This is evidence that implementing a robust patching program is no longer negotiable. Certain types of cybercriminals called initial access brokers (IAB) specialize in gaining access to victims to sell to other criminal groups. New and existing vulnerabilities are one of the primary ways they do this, so there's a clear incentive to be fast and have close contacts from whom they can purchase exploits.
Corvus notified affected policyholders after Citrix released an advisory detailing several security flaws in Citrix Gateway and Citrix Application Delivery Controller (ADC). Citrix Gateway is commonly used as a remote access solution and Citrix ADC is a networking appliance for web applications. One of the security flaws is rated as critical (CVE-2022-27510) and allows a remote attacker to bypass authentication. A security patch has been released and should be applied as soon as possible.
However, only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the critical authentication bypass vulnerability (CVE-2022-27510).
These Citrix products are popular and widely deployed. To add to the story above, affected organizations should apply relevant security patches without delay. It’s likely only a matter of time before exploits are developed and shared, making this a suitable vector for attackers to gain access to organizations that don’t take quick precautions.
Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516
A massive campaign of malicious search engine optimization (SEO) was discovered this week. This is often called SEO poisoning. The goal is for attackers to create malicious websites and use a variety of tactics to make them more prominent in search results. Attackers were able to compromise close to 15,000 websites and redirect visitors to their own fake sites. Here the threat actors are targeting WordPress sites and carry out the attacks by changing PHP files, instead placing redirects to their own malicious websites. In other cases, the attackers have been observed placing their own PHP files for the same purpose. The redirects lead through a Google search click URL which, rather than leading directly to the fake website, routes through Google search and likely increases the fake site’s performance metric, making it appear more popular and increasing its ranking on Google search results.
While the threat actor’s true purpose in this campaign is unknown, indications point to this being a likely precursor to phishing pages or websites hosting other malware. By increasing popularity in search engines like Google, this could increase the likelihood of successful campaigns against future victims. This is certainly an odd way to get there, though. If you run a WordPress site, make sure to keep all plugins up-to-date and enable strong MFA on admin accounts.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice