-
Sharing my analyses on the recent malware that targeted
#Citrix instances, categorized by#FireEye as#NOTROBIN. Using#Cutter of course
.
https://soolidsnake.github.io/2020/01/17/citrix_malware.html …
#MalwareAnalyses#NOTROBIN -
A hacker is patching Citrix servers to maintain exclusive access. https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/ …
@citrix@FireEye@NCSCgov@ZDNet#hacker#patch#Citrix#servers#maintain#exclusive#access#FireEye#organization#multiple#threats#target#network#NotRobin#TorNode#host#payloadpic.twitter.com/OoaNddcVsC
-
I’m interested on the second stage of the campaign
#NOTROBIN#notrobin#NotRobin infection on#Citrix (CVE-2019-19781)#Shitrix once you have the backdoor listening…
@soolidsnakee@securitydoggo@FireEye any interesting trend?#Ransomware ? -
Does anyone have a pcap showing the first POST request for
#NOTROBIN activity? Some older pcaps for the exploit has been some url encoded decimal calling python for a shell, but just curious as to the what to look for beyond a successful or unsuccessful pull of the binary -
I never finished the model, I’m sad about that, but after a decade I give up. I share it with the hopes that someone will pick it up and explore it, but it’s made for a fun way of thinking about the problem and how it periodically pops back up, this time as
#NotRobin. end/Prikaži ovu nit -
The access log scan logic was fun!
We settled on: zgrep -HEi
"(GET|POST)\s[^\s]*/(v|%76)(p|%70)(n|%6e)(s|%73)/[^\s]*\.xml\sHTTP/1\.1\"\s(200|304)" #exploit
"(GET|POST)\s[^\s]*/(v|%76)(p|%70)(n|%6e)(s|%73)/[^\s]*\.pl\sHTTP/1\.1\"\s304" #NOTROBIN
https://github.com/fireeye/ioc-scanner-CVE-2019-19781/blob/43b93286852cc5481419454b9d7f27b3b756d576/scanners/access-logs.sh#L17 … -
Hacker schoont aangevallen Citrix-servers op https://www.transport-online.nl/site/111114/hacker-schoont-aangevallen-citrix-servers-op/ …
#Citrix#cybercrime#hackers,#NOTROBIN pic.twitter.com/y8qZc1xTrP
-
-
Exploit & infrastructure "squatters rights"
:
‣ : read @williballenthin &@MadeleyJosh's blog on vigilante Citrix exploitation +#NOTROBIN: https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html … ‣: consider hypothetical compromise of their compromised Wordpress to disrupt active payload distribution pic.twitter.com/qvRkjls71n
Prikaži ovu nit -
I wonder how many admins used a POC exploit on their
#NOTROBIN mitigated Citrix systems and determined they were not vulnerable? https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html … -
Aww yeah...follow up post on CVE-2019-19781 from
@williballenthin and@MadeleyJosh on#NOTROBIN malware. Awesome research and quick turnaround into a funky piece of malware. https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html … -
Bumped into an old friend today.
#vegas#thestrip#batman#reinvent2018#notrobin#lasvegas#las#ripped#himbledude @ Las Vegas, Nevada https://www.instagram.com/p/BqvuXAPBcf-/?utm_source=ig_twitter_share&igshid=15a9cefesvkvj … -
We felt Batman needed some help watching over the bar so of course there was only one guy who could get his back, and he brought Old Glory with him, thanks
@TheRock#smellwhatfreedomiscooking#notrobin#yourewelcomebrucepic.twitter.com/EbM7t1zXZy – mjesto: Wall Street Tavern
-
But they are that good. Showrunners & Editors are my superheroes. Totally how I find new work.
#STILLKAT#NOTROBINUPDATING#NOTROBIN -
-
@PhillyCustoms@deray This is kinda fun but Angela Davis is no one's Robin#WonderWomanMaybe#NotRobin -
Why don't we all unfollow @/FandomRTorFAV
#swanqueen there is no reason for us to drive up follows when they just think we cheat.#notRobin -
Still gotta find a Halloween costume
#NotRobin#BadMemories
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.