18 August 2023

10 min read

Cyber attacks on Citrix NetScalers and ShareFile uncovered | Cyber Intelligence Briefing: 18 August

August 2023
Cyber attacks on Citrix NetScalers and ShareFile uncovered | Cyber Intelligence Briefing: 18 August placeholder thumbnail

 

Top news stories this week

  1. Citrisks. Cyber attacks exploiting vulnerabilities in Citrix NetScalers and ShareFile uncovered.
  2. Bobbies’ data blunder. Cumbria, Norfolk, and Suffolk police forces disclose accidental data leaks.
  3. Legal lapse. UK law firm reprimanded by ICO for data breach.
  4. ForcedOut. LinkedIn user accounts compromised during global hacking campaign.
  5. Clorox cleans up. Clorox discloses data breach to SEC in line with new rules.
  6. The Dark Knight. Fake Tripadvisor complaint emails used to distribute Knight ransomware. 

 


 

1. Cyber attacks on Citrix NetScalers and ShareFile uncovered

Researchers have discovered a large-scale campaign targeting vulnerable (CVE-2023-3519) Citrix NetScalers. The exploit provides threat actors with persistent remote access to compromised systems even after patches are applied.  

Separately, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical vulnerability (CVE-2023-24489) being exploited in Citrix ShareFile that allows an unauthenticated attacker to remotely execute code by inserting malicious files. 

So what?

If your organisation uses these Citrix services, review your systems for the above vulnerabilities and conduct threat hunting to identify indicators of compromise

 


 

2. Cumbria, Norfolk, and Suffolk police forces disclose accidental data leaks

Adding to recent UK police breaches, a human error within Cumbria Constabulary has led to unintended online exposure of personnel names, salaries, and allowances. Meanwhile, Norfolk and Suffolk police have revealed that a "technical issue" unintentionally exposed the data of 1,230 individuals, impacting sensitive details including names and addresses of victims and witnesses.  

These leaks follow the data breach that occurred within the Police Service of Northern Ireland (PSNI) last week, which revealed the surnames and first initials of some 10,000 PSNI employees. Dissident republicans now claim to have hold of this data 

So what?

The breaches underscore the importance of implementing internal protocols, training, and oversight to ensure confidential information remains secure.

 


 

3. UK law firm reprimanded by ICO for data breach

The Information Commissioner's Office (ICO) reprimanded a UK law firm after a spear phishing attack on an employee's Outlook email led to a data breach and four unauthorised payments on a probate case.

Law firm Swinburne, Snowball and Jackson was criticised for inadequate safeguards and for not reporting the incidents to the ICO. The investigation also revealed that the compromised email account did not have multi-factor authentication (MFA) in place, and that the firm did not have a suitable contract with its IT provider. 

So what?

Cyber incidents can result in compromised data and fraudulent activities. In line with UK government guidelines, implementing MFA on email accounts reduces the risk of unauthorised email access.

 


 

4. Users locked out of LinkedIn accounts after a series of hacks 

A spree of brute force attacks resulted in numerous LinkedIn accounts being compromised by threat actors or otherwise locked out for security reasons. Once an account is compromised, hackers have been changing the associated email and password of the accounts to maintain control. Victims of the hack have reportedly been extorted by the threat actors or have had their accounts permanently deleted. 

So what?

While MFA is a good security control, a complex and unique password is just as important to protect user accounts.

 


 

5. Clorox discloses data breach to SEC 

Cleaning product giant Clorox announced that it has taken down some of its servers and notified law enforcement after discovering a data breach. The company made the announcement in a US Securities and Exchange Commission (SEC) filing, in line with new rules issued by the agency in July. Under these new rules, listed companies are required to publicly disclose significant cyber security incidents within four business days. 

So what?

Publicly listed companies in the US should familiarise themselves with the new rules to avoid any potential legal or financial consequences.

 


 

6. Fake TripAdvisor complaint emails used to distribute Knight ransomware

Fake TripAdvisor complaints and malicious email attachments are being used to infect and encrypt victims’ files with Knight ransomware, a rebrand of Cyclops ransomware. It presents a fixed ransom and uses a single Bitcoin address, possibly leading to an unreliable payment process. 

So what?

Organisations should strengthen their phishing email controls and provide employees with regular training on identifying and avoiding deceptive email attachments.

 

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Authors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.