17 August 2023

Citrix ShareFile Flaw Exploited=in-the-Wild, File=sharing site Anonfiles shuts down due to overwhelming abuse + Latest Articles | Bleeping Computer

 


CISA warns of critical Citrix ShareFile flaw exploited in the wild

By 
 
  • August 16, 2023
    •  
  • 05:31 PM
    •  
  • 0

CISA

CISA is warning that a critical Citrix ShareFile secure file transfer vulnerability tracked as CVE-2023-24489 is being targeted by unknown actors and has added the flaw to its catalog of known security flaws exploited in the wild.

Citrix ShareFile (also known as Citrix Content Collaboration) is a managed file transfer SaaS cloud storage solution that allows customers and employees to upload and download files securely.
The service also offers a 'Storage zones controller' solution that allows enterprise customers to configure their private data storage to host files, whether on-premise or at supported cloud platforms, such as Amazon S3 and Windows Azure.
  • On June 13th, 2023, Citrix released a security advisory on a new ShareFile storage zones vulnerability tracked as CVE-2023-24489 with a critical severity score of 9.8/10, which could allow unauthenticated attackers to compromise customer-managed storage zones.
"A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller," Citrix explains.
  • Cybersecurity firm AssetNote disclosed the vulnerability to Citrix, warning in a technical writeup that the flaw is caused by a few small errors in ShareFile's implementation of AES encryption.
"Through our research we were able to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug," AssetNote researchers explain.
  • Using this flaw, a threat actor could upload a web shell to a device to gain full access to the storage and all its files.
CISA warns that threat actors commonly exploit these types of flaws and pose a significant risk to federal enterprises.
While CISA shares this same warning on many advisories, flaws impacting managed file transfer (MFT) solutions are of particular concern, as threat actors have heavily exploited them to steal data from companies in extortion attacks.
  • One ransomware operation, known as Clop, has taken a particular interest in targeting these types of flaws, using them in widescale data theft attacks since 2021, when they exploited a zero-day flaw in the Accellion FTA solution.
Since then, Clop has conducted numerous data-theft campaigns using zero-day flaws in SolarWinds Serv-UGoAnywhere MFT, and, most recently, the massive attacks on MOVEit Transfer servers.

Active exploitation

As part of AssetNote's technical writeup, the researchers shared enough information for threat actors to develop exploits for the Citrix ShareFile CVE-2023-24489 flaw. Soon after, other researchers released their own exploits on GitHub.
  • On July 26th, GreyNoise began monitoring for attempts to exploit the vulnerability. After CISA warned about the flaw today, GreyNoise updated its report to say there had been a significant uptick in attempts by different IP addresses.
"GreyNoise observed a significant spike in attacker activity the day CISA added CVE-2023-24489 to their Known Exploited Vulnerabilities Catalog," warns GreyNoise.

At this time, GreyNoise has seen attempts to exploit or check if a ShareFile server is vulnerable from 72 IP addresses, with the majority from South Korea and others in Finland, the United Kingdom, and the United States.
Attempts to exploit CVE-2023-24489
Attempts to exploit CVE-2023-24489
Source: GreyNoise

  • While no publicly known exploitation or data theft has been linked to this flaw, CISA now requires Federal Civilian Executive Branch (FCEB) agencies to apply patches for this bug by September 6th, 2023.

However, due to the highly targeted nature of these bugs, it would be strongly advised that all organizations apply the updates as soon as possible.

Related Articles:

Gafgyt malware exploits five-years-old flaw in EoL Zyxel router

Netscaler ADC bug exploited to breach US critical infrastructure org

Hackers exploiting critical WordPress WooCommerce Payments bug

CISA warns govt agencies to patch actively exploited Android driver

300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug

 

    •  
    •  
 
    •  

 

LAWRENCE ABRAMS  
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



File-sharing site Anonfiles shuts down due to overwhelming abuse

By 
 
  • August 16, 2023
    •  
  • 07:25 PM
    •  
  • 1

Anonfiles

Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users.
  • Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged.
  • However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material.
Five days ago, Anonfiles users began reporting that the service would time out when attempting to upload files.
As spotted by cybersecurity researcher g0njxa, the Anonfiles operators have now shut down the service, stating that their proxy provider recently shut them down and that they can no longer deal with the overwhelming amount of abusive material uploaded to the site.

The statement shown on Anonfiles site is reproduced in its entirety below:

"After trying endlessly for two years to run a file sharing site with user anonymity we have been tired of handling the extreme volumes of people abusing it and the headaches it has created for us.
Maybe it is hard to understand but after tens of million uploads and many petabytes later all work of handling abuse was automated through all available channels to be fast as possible.
We have auto banned contents of hundreds of thousands files.
Banned file names and also banned specific usage patterns connected to abusive material to the point where we did not care if we accidental delete thousands of false positive in this process.

  • Even after all this the high volume of abuse will not stop.
  • This is not the kind of work we imagine when acquiring it and recently our proxy provider shut us down.

This can not continue.

Domain 4sale.

domain@anonfiles.com"

While Anonfiles was a useful file-sharing site for many, other users reported [123] that the site used shady advertisers that commonly redirected malware, tech support scams, and unwanted Google Chrome and Firefox browser extensions.
For example, when attempting to download a file from Anonfiles, users said you would often be first redirected to a site that downloaded an ISO file using the same name as the file you thought you were downloading.
  • However, these ISO files contained various malware, including information-stealing malware, remote access trojans, and ad clickers.
  • In 2021, CronUp researcher Germán Fernández warned that Anonfiles malvertising was pushing the RedLine Stealer malware, a notorious information-stealing malware that steals your credentials and cryptocurrency wallets.

A tweet

Other malvertising campaigns seen by Fernández and Malwarebytes on Anonfiles pushed search hijacking extensions, Amadey botnet, Vidar stealer, and even STOP ransomware.

The Anonfiles operators are now looking for someone to purchase their domain, likely to launch their own file sharing service.

However, in the interim, the shutdown will cause many files used by cybersecurity researchers and threat actors alike to no longer be available.

Related Articles:

Amazon AWS distances itself from Moq amid data collection controversy

Popular open source project Moq criticized for quietly collecting data

Google Gmail continuously nagging to enable Enhanced Safe Browsing

Google makes it easier to remove your info, explicit images from search

Apple says new App Store API rules will limit user fingerprinti

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)