Hello, welcome to the Monday, December 30th, 2019 edition of the Sandsonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Last week I mentioned that we made a webcast about the new Citric vulnerability,

that effects like the Citric slash NetScaler Gateway devices.

We decided to do one on Tuesday. So tomorrow on Tuesday, 1 p.m. Eastern, we will do this

webcast to fill you in a little bit on this. And, well, a link to the signup page will be in the show notes again so far it looks like

this maybe a little bit slower than originally expected there is no proof of concept exploit

public yet which probably is sort of holding back the flood of requests trying to exploit this.

Haven't seen any sort of active exploitation of this vulnerability so far.

But while I'm talking about these VPNs and perimeter security devices,

Fox IT has an interesting report about some recent activity they're calling Operation Wokau or they're also associating

this with Chinese origin APT 20.

Now, this particular attack sort of was different in so far that the attacker got persistent

access to a VPN that did require two-factor authentication.

Of course, two-factor authentication is always mentioned as the solution to prevent someone

from just stealing credentials.

Apparently what happened here was that the victim did use a soft token. Now, soft tokens come in different forms and shapes.

For example, you can have them like on a mobile device, like a phone. In this case, the soft

token was installed on the laptop, which made it particular vulnerable. Pretty much all it took

was to copy that software, including the seed file that's

being used to actually generate these tokens to a different system, and the attacker was able

to then create these one-time passwords independently. Now, the victim here used the RSA implementation of these soft tokens, and typically

...