BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc…
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc…
@FireEye @citrix @Mandiant Lots of late nights and work on the weekend/holiday to get this out. Many thanks to @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick for help making it happen.
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick There are two modes that you can run the tool in. Default and --verbose. The default mode will look for high confidence evidence of compromise. The --verbose mode will also look through HTTP access logs for evidence of successful vuln scanning as well as failed vuln scanning.
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick There are a lot of great resources that you can leverage to learn more about CVE-2019-19781 and how it's being exploited.
fireeye.com/blog/products-…
fireeye.com/blog/threat-re…
fireeye.com/blog/products-…
fireeye.com/blog/threat-re…
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick @TrustedSec has put out some great research both on the #DFIR side of investigating CVE-2019-19781 and from their honeypot with details around what threat actors are dropping
trustedsec.com/blog/netscaler…
trustedsec.com/blog/netscaler…
trustedsec.com/blog/netscaler…
trustedsec.com/blog/netscaler…
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick @TrustedSec @sans_isc has put out two really interesting blogs on the recent history of scanning (and significant uptick after PoCs released) and the type of payloads they've observed
isc.sans.edu/forums/diary/C…
isc.sans.edu/forums/diary/C…
isc.sans.edu/forums/diary/C…
isc.sans.edu/forums/diary/C…
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick @TrustedSec @sans_isc This @reddit thread has probably the most comprehensive list of links and discussion around CVE-2019-19781
reddit.com/r/blueteamsec/…
reddit.com/r/blueteamsec/…
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick @TrustedSec @sans_isc @reddit This thread from @mpgn_x64 was useful in helping to understand alternate ways an attacker could exploit the vulnerability. This is important when trying to come up with resilient detection logic.
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick @TrustedSec @sans_isc @reddit @mpgn_x64 This brief thread from @buffaloverflow sheds light on potential implications of a successful compromise (e.g. decrypting passwords in ns.conf and stealing session tokens)
@FireEye @citrix @Mandiant @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick @TrustedSec @sans_isc @reddit @mpgn_x64 @buffaloverflow Not sure why - but the initial Tweet in this thread didn't link properly to the @FireEye blog. Here's the link with description and instructions on how to use the tool and example output.
fireeye.com/blog/products-…
fireeye.com/blog/products-…
