Citrix vulnerability jeopardises over 80,000 companies globally

Two Citrix products were found having a critical flaw threatening 80,000 companies' networks in 158 countries. With 38 percent of the vulnerable networks, companies in the U.S. faced most of the risks followed by the UK, Germany, the Netherlands, and Australia. Positive technologies discovered a critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway).

It could allow attackers access to a company's local network and internal access credentials. The easily exploitable vulnerability affects all supported versions of the product, and all supported platforms. The vulnerability (CVE-2019-19781), though described as critical, is yet to be assigned a CVSS severity rating. Citrix has partially addressed the security issue by publishing a set of mitigation measures for standalone systems and clusters as part of a knowledge-base article. Meanwhile, Symantec also recommended companies to block external access at the edge of the network and use intrusion detection systems to monitor accessible links. 


Thallium Hacking Group’s Malicious Websites Tracked and Taken Down by Microsoft

In a major crackdown, Microsoft has announced that it successfully took down 50 web domains operated by the North Korea-based Thallium hacking group. These domains were used to launch cyberattacks from the group. The APT group has been active since at least 2010 and Microsoft revealed that the hackers launched spear-phishing using legitimate services including Gmail, Yahoo, and Hotmail. The OS maker disclosed that the Digital Crimes Unit (DCU) along with its Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking their activities and mapping their infrastructure. Shortly after Christmas, Microsoft had taken over 50 domains with permission from the US authorities. The seized web domains were used to send phishing emails and host phishing pages. The hacker group would lure victims on these sites, steal their credentials, and then gain access to internal networks.


Cybercriminals Adopt Steganography-based Credit Card Skimmer to steal payment card details

Steganography has long been used by malware authors to hide malicious data within legitimate-looking images and currently, it is being used by cybercriminals to spread credit card skimmers. According to a report from Malwarebytes Lab, a new steganography-based credit card skimmer has been spotted that targets online retail shops. To the naked eyes, the image looks like a typical free shipping ribbon that is commonly seen on shopping sites. However, a close look at the image reveals JavaScript code has been appended immediately after the end of the file marker. The web crawlers and scanners mostly concentrate on HTML and JavaScript files and often ignore media files. It is also noted that threat actors are particularly using WebSockets to provide a more covert way to exchange data than typical HTTP request-responses. When the malicious JavaScript code runs in the browser, it triggers a client handshake request. Once this is established, a series of bidirectional messages are exchanged between the victim’s browser and malicious host. These messages also include the credit card skimming code.


Look out for the Wallet Chrome extension that steals crypto wallet private keys and passwords

Security researchers have uncovered a malicious Google Chrome extension named Shitcoin Wallet that steals passwords and private keys from cryptocurrency wallets and portals. According to an introductory blog post, Shitcoin Wallet lets users connect to the Ethereum blockchain. Launched on December 9, the extension was designed to allow users to create their own wallet on the local terminals and communicate with other blockchain networks. Unlike its actual job, Shitcoin Wallet is found to contain malicious code, as informed by Harry Denley, Director of Security at the MyCrypto platform and reported by ZDNet. According to the analysis of the malicious code, the user installs the Chrome extension. The extension requests permission to inject JavaScript code on 77 websites. When the user navigates to one of these 77 websites, the extension loads an additional JS file from erc20wallet.js. This JS file contains obfuscated code and activates on five websites. Once activated, the malicious JS code records the user’s password, searches for private keys stored inside the dashboards of the five services and finally sends the data to erc20wallet[.]tk. The extension has around 621 installs and it is unclear if the developers of the Shitcoin Wallet are responsible for the malicious code or if the Chrome extension was compromised by a third-party.


Newly Discovered Lampion Trojan found targeting Portuguese users

Security researchers have uncovered a new trojan named Lampion. The trojan is distributed via phishing emails and targets Portuguese users. As reported by Segurance Informatica-Lab (SI-Lab), the phishing email used to distribute the trojan appears to come from the Portuguese Government Finance & Tax. The email reports issues related to debt for the year 2018. It asks the recipients to click on a link within the email to avoid being misled by criminals. When the unsuspected victim clicks on the link available on the email body, the malware gets downloaded from the online server. The downloaded file is a compressed Zip file. When it is unpacked by the user, they will see three files - a PDF, VBS, and a text file. Lampion trojan is involved in capturing data belonging to both the users and infected systems. The collected information includes system information pages, installed software, web browser history, clipboard, details of the file system, etc.


A Twitter app flaw used to match 17 million phone numbers to user accounts

A security researcher claimed to leverage a flaw in Twitter’s Android app and successfully match 17 million phone numbers to unique Twitter user accounts. Security researcher Ibrahim Balic found the Twitter bug and carried on with his experiments for months. According to the researcher, he could upload a large list of mobile phone numbers using the contacts upload feature on Twitter's Android app. He further noted that Twitter fetched relevant matching user data upon uploading the contacts. Security researcher Ibrahim Balic explained that Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format—maybe only to prevent this kind of matching. So, he generated more than two billion phone numbers, one after the other instead. He then randomised the numbers and uploaded them to Twitter through the Android app. Through this, he could retrieve matching user data. The researcher provided TechCrunch with a sample of the phone numbers he matched. The team verified his findings by comparing a random selection of usernames with the phone numbers that were provided. The researcher was yet to alert Twitter about the flaw. Meanwhile, he took many of the phone numbers of high-profile Twitter users including politicians and officials to a WhatsApp group to warn them directly.


Edited and compiled by cyber security specialist James Aguilan.