The Church of Sweden(Svenska Kyrkan) was ransomwared on the 23rd of November. This is now being attributed to BlackCat.
Here's a #Citrixbleed vulnerable server serving a wildcard cert for *.svenskakyrkan.se, last scanned by Shodan on the 23rd. Probably not related at all
#Comcast has disclosed a #CitrixBleed-related data breach which affected 35 million #Xfinity customers. The impacted info included names, contact information, last four digits of social security numbers, dates of birth and secret questions and answers.
"Payments to ransomware and extortion groups need to be outlawed. I know, I know, it will be hard and there’s a million reasons to argue against it and lots of vested interests who don’t want this. ... I mean it — ransomware payments to these groups need to be outlawed, internationally." - Kevin Beaumont (aka @GossiTheDog )
There’s a pretty incredible situation playing out today where a US MSP who look after hospitals has had ransomware actors in their network for a week via #CitrixBleed, but they’ve been unable to find anybody who has Netscaler credentials to patch still.
Re #CitrixBleed - I have evidence that a ransomware group and an APT had the exploit on October 23nd, two days before the AssetNote public write up went live. #threatintel
Qlin ransomware group have claimed Yanfeng, which is entry via #CitrixBleed. It's holding up vehicle production of Dodge, Jeep
and Chrysler in the US, they stopped two weeks ago due to Yanfeng being a key supplier.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #47/2023 is out! It includes the following and much more:
➝ 🔓 🇬🇧 University of Manchester #CISO Speaks Out on Summer Cyber-Attack
➝ 🔓 🇺🇸 Hacktivists breach U.S. nuclear research lab, steal employee data
➝ 🔓 👀 Sumo Logic Completes Investigation Into Recent Security #Breach
➝ 🔓 🇺🇸 Auto parts giant AutoZone warns of #MOVEit data breach
➝ 🔓 🇨🇦 Canadian government discloses data breach after contractor hacks
➝ 🇦🇫 New 'HrServ.dll' Web Shell Detected in #APT Attack Targeting Afghan Government
➝ 🇬🇧 🇰🇷 UK and South Korea: Hackers use zero-day in supply-chain attack
➝ 🇵🇸 🇮🇱 #Hamas-Linked #Cyberattacks Using Rust-Powered SysJoker #Backdoor Against #Israel
➝ 🇷🇺 😱 “They are tired of him, but they are afraid”: what is known about the leader of the hacker group Killnet
➝ 🇰🇵 N. Korean Hackers Distribute Trojanized #CyberLink Software in Supply Chain Attack
➝ ▶️ 🛒 Play #Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals
➝ 🇮🇳 Indian Hack-for-Hire Group Targeted U.S., #China, and More for Over 10 Years
➝ 🇷🇺 Russian hackers use #Ngrok feature and #WinRAR exploit to attack embassies
➝ 🇺🇸 🩺 #CISA Releases Cybersecurity Guidance for #Healthcare, Public Health Organizations
➝ 🇬🇧 🙏🏻 Thanking the vulnerability research community with #NCSC Challenge Coins
➝ 🧅 #Tor Network Removes Risky Relays Associated With #Cryptocurrency Scheme
➝ 🇺🇦 👋🏻 #Ukraine fires top cybersecurity officials
➝ 🩹 Johnson Controls Patches Critical #Vulnerability in Industrial Refrigeration Products
➝ 🦠 🦀 New WailingCrab #Malware Loader Spreading via Shipping-Themed Emails
➝ 🦠 📨 New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
➝ 🦠 🎠 NetSupport #RAT Infections on the Rise - Targeting Government and Business Sectors
➝ 🚫 Google #Chrome will limit ad blockers starting June 2024
➝ 🐛 ☁️ 3 Critical Vulnerabilities Expose #ownCloud Users to Data Breaches
➝ 🔓 ☁️ Researchers Discover Dangerous Exposure of Sensitive #Kubernetes Secrets
➝ 🔓 ☝🏻 New Flaws in Fingerprint Sensors Let Attackers Bypass #Windows Hello Login
➝ 🔓 🩸 ‘#CitrixBleed’ vulnerability targeted by nation-state and criminal hackers: CISA
➝ 🐡 Researchers extract RSA keys from #SSH server signing errors
📚 This week's recommended reading is: "How I Rob Banks: And Other Such Places" by FC a.k.a. Freakyclown
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Restoring toot - it turns out Fidelity National Financial, Inc. and Fidelity National Information Service merged years ago. Both patched #CitrixBleed late and now have security incidents involving a ransomware group.
The world’s largest bank, ICBC, are still trying to recover their US clearing house arm over 2 weeks since LockBit gained access via #CitrixBleed. HT @metacurity
“Two weeks after the attack, the securities arm was still waiting for the all-clear from its cybersecurity consultants to reconnect to the market and Bank of New York Mellon’s automated settlement platform, which sits in the middle of the transactions.”