Hello, welcome to the Monday, January 13th, 2020 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

Today I'm recording from Jacksonville, Florida.

Well, a big event today and probably taking most of this podcast, if not everything, is the outbreak of exploits against the recent

Citrix ADC vulnerability. Also known as CVE 2019, 19781. The first exploit was published on Friday,

at least late Friday.

My time may have been Saturday for some people in Asia and just around midnight UTC.

The first exploit by Project Zero India was a simple shell script, essentially just three

different curl commands.

The first one would upload the file using the directory to reversal file upload vulnerability.

Second one would execute the content of the file and the third one would retrieve the response

from the command.

Now shortly thereafter, trusted SEC did publish their version of the exploit, quite a bit more

professional and nicer done.

It actually runs sort of Python code on the Citrix system and then establishes a reverse

shell.

And since then we have literally dozens of different exploits that people published, but pretty much all of them are sort of variations of these two themes.

And of course, shortly after these exploits were published, the requests against our Honeypots sort of went through the roof.

And we have sort of identified a number of different payloads that people used using these exploits.

Most of the exploits sort of follow that Project Zero India scheme, but they just use simple curl commands but we also see some

that sort of use these more encoded Python scripts just like what trusted sec

did now the vast majority of these exploit attempts are essentially just checking

...