Hello, welcome to the Tuesday, January 14th, 2020 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, we've got nothing fundamentally new today about the Citrix ADC vulnerability.

DDA earlier today summarized some of the payloads we have seen in

a diary, but it's pretty much the standard stuff, crypto coin miners, some probing, and the occasional

bag door. But if you think that, well, since you made it past this Citrix issue, that now it's time to relax a little bit

and sit back, well, you picked the wrong profession. Turns out that tomorrow we may have

a quite interesting Microsoft Patch Tuesday coming up. It has been leaked that one of the updates that will be released by Microsoft tomorrow

will patch a flaw in Crypt32. DLLL.

Now this is the basic cryptography and certificate handling library in Microsoft's operating systems, also known as Crypto API,

and thus provide a number of critical functions, including validation of digital signatures.

So what's assumed here is that due to this flaw, it's possible to essentially trick the crypto API into

accepting an invalid signature as valid.

Brian Krebs summarized what he was able to learn about this vulnerability, and apparently

this vulnerability was used in exploits targeting some government agencies

who then reported the vulnerability to Microsoft. And due to this being already actively

being exploited and being reported by these government agencies, Microsoft told them about this upcoming patch ahead of time

and may also have provided them with a pre-release version. And apparently that's sort of some

of the secrecy around this pre-release failed. Now, what's not quite clear yet is what the

possible impact will be of this vulnerability.

So it could, for example, be used to create an invalid certificate and with that spoof

websites more convincingly.

...