Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

Flashback on CVE-2019-19781

Published: 2020-05-28
Last Updated: 2020-05-28 10:13:59 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

First of all, did you know that the Flame[1] malware turned 8 years today! Happy Birthday! This famous malware discovered was announced on May 28th, 2012. The malware was used for targeted cyber espionage activities in the Middle East area. If this malware was probably developed by a nation-state organization. It infected a limited amount of hosts (~1000 computers[3]) making it a targeted attack.

At the opposite, we see very broad attacks that try to abuse vulnerabilities present in very common products. Almost every day, new CVEs ("Common Vulnerability Exposure") are released or updated. Yesterday, I indexed 141 new CVEs:

In a perfect world, a CVE is followed by a patch released by the vendor or the developer, followed by the deployment of this patch by the end-user. Case closed! But, it’s not always as simple, for multiple reasons. Recently, an interesting article was released about the top-10 most exploited vulnerabilities[3]. It’s interesting to discover how very old vulnerabilities are still exploited in the wild, by example: CVE-2017-11882 (from 2017!)

Amongst others, let’s have a look at CVE-2019-19781 also know as “Shitrix”[4].  We searched for the population of ‘Citrix NetScaler’ hosts in SHODAN, then we search for the ones tagged with the CVE. Results are interesting (starting from the beginning of the year).

In blue, you see the number of devices identified as vulnerable. The green data represent the entire population of Citrix devices seen online. Let's focus on the two first months:

We see that SHODAN is scanning the web and found more and more vulnerable devices, then organizations started to patch then but we remain for a while to a stable amount of devices (around ~4000 detected daily). But we see also a decrease in detected NetScaler devices. How to interpret this? 

  • Some organizations got rid of their Citrix device and replaced it with another solution? (it could happen)
  • Devices were hardened and do not disclose the version/model (footprint not possible)
  • Devices facing the Internet are now protected by filters/firewalls
  • SHODAN IP addresses are blacklisted (which is bad and does NOT secure your infrastructure)

Anyway, the best advice remains patch, patch, and patch again!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Frankenstein's phishing using Google Cloud Storage
May 27th 2020
2 days ago by Jan (0 comments)

Seriously, SHA3 where art thou?
May 26th 2020
2 days ago by Jim (0 comments)

Zloader Maldoc Analysis With xlm-deobfuscator
May 25th 2020
4 days ago by DidierStevens (0 comments)

Wireshark 3.2.4 Released
May 24th 2020
4 days ago by DidierStevens (0 comments)

AgentTesla Delivered via a Malicious PowerPoint Add-In
May 23rd 2020
6 days ago by Xme (0 comments)

Some Strings to Remember
May 22nd 2020
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

IP Address from Hex
created Apr 15th 2020
1 month ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
1 month ago by ismicok (0 replies)
created Mar 10th 2020
2 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
2 months ago by Anonymous (0 replies)

Setting up a security champions network.
created Feb 24th 2020
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
11 months ago by Brad (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
11 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Verifying Running Processes against VirusTotal - Domain-Wide
Jun 28th 2019
11 months ago by Rob VandenBrink (0 comments)