Troy Mursch

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw. Mass scanning activity detected from 82.102.16.220 (🇩🇪) checking for Citrix NetScaler Gateway endpoints vulnerable to CVE-2019-19781. Affected organizations are advised to apply the mitigation steps provided by Citrix as no patch exists yet. https://t.co/weFVYpEWi2#threatintel pic.twitter.com/mTfky68JEh — Bad Packets Report (@bad_packets) January …

Read MoreOver 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

Over 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510

On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks. ⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️Mass scanning activity detected from 2.137.127.2 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510).#threatintel pic.twitter.com/fiRUMKjwbE — Bad Packets Report (@bad_packets) …

Read MoreOver 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510

Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw

Our honeypots frequently detect scans targeting various home automation protocol endpoints. Many of these attacks aim to exploit vulnerable consumer routers. Upon further investigation, we’ve discovered a persistent flaw affecting Linksys Smart Wi-Fi routers that allows unauthenticated remote access to sensitive information. How can the vulnerability be exploited? Go to the Linksys Smart Wi-Fi router’s public IP address in your web browser Open the developer console (F12 key) and go to the Network tab Scroll down to JNAP (there’s multiple) and click to open it The leak can also be reproduced by sending a request to this JNAP endpoint: X-JNAP-ACTION: …

Read MoreOver 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw

Defunct WordPress plugin leaves nearly 400 websites vulnerable to sensitive information disclosure

On Saturday, April 13, 2019, our honeypots detected an exploit attempt targeting WordPress sites with a defunct plugin, CodeArt – Google MP3 Player, installed. This malicious activity originated from a host on the network of LeaseWeb (AS60781) and exploited a directory traversal flaw to retrieve the wp-config.php settings file. Our scans have indicated 391 WordPress sites are using the vulnerable plugin and are open to this type of attack. The Exploit Attempt The wp-config.php file contains sensitive information such as the WordPress database name, username, password and hostname. This file also contains the WordPress secret keys which can be used …

Read MoreDefunct WordPress plugin leaves nearly 400 websites vulnerable to sensitive information disclosure

Ongoing DNS hijacking campaign targeting consumer routers

Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes. First wave – December 29, 2018 ⚠️ WARNING ⚠️Unauthenticated Remote DNS Change Exploit Detected Target: D-Link routers (https://t.co/TmYBAAR1T7)Source IP: 35.190.195.236 (AS15169) 🇺🇸Rogue DNS server: 66.70.173.48 (AS16276) 🇨🇦 pic.twitter.com/fRnCoXQM3H — Bad Packets Report (@bad_packets) December 30, 2018 The first DNS hijacking exploit attempts targeted multiple models of D-Link DSL …

Read MoreOngoing DNS hijacking campaign targeting consumer routers