Cybersecurity News V. 1.30 – Trojan attacks, Internet Explorer 0-day
Recent news about Citrix CVE-2019-19781 vulnerability
Citrix has finally released patches for CVE-2019-19781. The vulnerability affects Citrix Application Delivery Controller (ADS) and Gateway products. There was some evidence of in-the-wild exploitation. It is strongly recommended to check the systems that have been hacked in the past few weeks. To help with that, Citrix released an open-source tool.
Among the notable examples of exploitation is the ransomware attack against Gedia Automotive Group from Germany. Attackers claimed to have extracted 50 gigabytes of data from the manufacturer. After Gedia refused to pay the ransom, the attackers began to publish the data. It is believed that CVE-2019-19781 was the entrance point for the deployment of REvil/Sodinokibi in this case. If networks and systems are not patched and secured, hackers can perform ransomware attacks against them.
Internet Explorer is still full of unpleasant surprises
A 0-day RCE vulnerability was found in Internet Explorer. A JScript component inside the browser’s scripting engine has an unspecified memory corruption vulnerability. Thus, any application that supports this embedded script engine could become part of an attack vector (HTML documents, PDF files, Microsoft Office documents, etc.).
Although this vulnerability was detected in exploits in the wild, the patch will be available no sooner than February, 11. One of the ways to mitigate the vulnerability before the patch arrives is to restrict access to jscript.dll.
Mitsubishi Electric data leak
Mitsubishi Electric disclosed a security breach that was detected on June, 28, 2019. The company delayed its official statement due to the complexity of the investigation, which is still in progress. Around 200 MB of data, which potentially include personal and recruitment applicant information, were stolen. The company said that sensitive information about social infrastructure did not leak.
European Energy Sector under possible attack by PupyRAT
Researchers revealed a PupyRat (a remote access trojan) command and control server was communicating with a mail server for a European energy sector organization.
PupyRAT is an open-source too known to have been used by Iranian threat actor groups The researchers noted that “the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe”.
Yet another remote access trojan targets Middle East and North Africa
A new remote access trojan (RAT) named JohneRAT was detected. The attack targeted victims in the Middle East and North Africa. The malware was delivered to potential victims via emails with malicious Microsoft Office documents. It is on Python, has no known open-source basis, and depends on various cloud services. JohneRAT used filtration by keyboard layout to affect Arabic-speaking countries. Payloads were sent with the help of a verified marketing provider, which helped bypass the existing email security. The malware is distributed via spear phishing attachments themed around the death of Qassem Soleimani.