BlogCareersContact Us
< Back to Blog

Citrix ADM, Sharepoint, Pegasus: first officer’s log – week 5

Mike Parkin
 | Jun 20, 2022
 | Senior Technical Marketing Engineer

First Officer’s log, Terrestrial date, 20220720. Officer of the Deck reporting. One of the challenges of any major planetside expedition, as we were engaged in, is the potential exposure of crew members to local contagions. In this case, the near-endemic Coronavirus, that has been an issue for some time now. Fortunately, only one of our crew was exposed. Unfortunately, I have been relegated to isolation in my quarters and had to perform my duties through a telepresence unit. The bright side is the medical officer did not require me to isolate myself in medlab, and the command staff is accustomed to working with telepresence.

The mission, as it is said, goes on.

Off-site Backups are a thing for a reason

What happened

A new attack method that leverages Intended Functionality in decidedly unintended ways has been found in Microsoft’s widely used SharePoint. An attacker with access to a document on SharePoint could repeatedly write and encrypt it multiple times until the entire series of incremental backups became unusable. Or, they could just set the maximum undo level to a single digit and render it unrecoverable in only a few iterations.

Why it matters

A lot of organizations rely on the recovery functions in Microsoft Office for resiliency against ransomware and malicious deletion. Or even accidental deletion, to be fair. This technique would break that, rendering recovery impossible. Microsoft says the backup system is working as intended, which is true. But this is creatively abusing intended functionality to nefarious ends. Local copies and 3rd party “off-site” backup solutions can resist this kind of attack.

What they said

It’s been a busy day at the Office for those covering this story. Read more.

It’s legal, but is it ethical?

What happened

Commercial-grade attack tools are nothing new. They are used routinely by Law Enforcement and Intelligence agencies worldwide, and sometimes even my commercial entities under very special circumstances. The revelation of an Android spyware tool called “hermit,” apparently developed by a company in Italy, and deployed by the government of Kazakhstan, has raised some notice – as the revelation of the Pegasus spyware did before.

Why it matters

Sovereign states can do whatever their own laws allow within their borders. That’s part of what defines being a sovereign state. However, spyware tools raise some interesting ethical questions, especially for western democracies where personal privacy and liberty have been coded into law. What are the ethical concerns when developers create these tools in countries where they would be strictly controlled, but sell them in lands that might not have such tight restrictions, or are not known for having a good human rights record?

What they said

Unsurprisingly for a spyware story, this one has raised all sorts of coverage.

There are reasons to keep them isolated

What happened

A recent vulnerability in the Citrix ADM service could allow an attacker to reset the system’s admin password and then log in as the administrator after forcing a system reboot. Citrix has released patches for the affected versions of Citrix ADM and published mitigations.

Why it matters

While it might be challenging for an attacker to run the exploit and cause the admin password to reset and then follow it up with a forced reboot, it shows why admin access needs to be isolated in the first place. Industry best practice would have these things restricted to prevent access from unauthorized spaces. It’s just a bad thing™ to have admin access from the open internet. Full stop.

What they said

Citrix ADM

Naturally, for a service as popular as Citrix ADM, this vulnerability has a lot of people talking.

Speaking of Pegasus

What happened

US Defense Contractor L3Harris is in talks to buy Israel-based developer NSO, known for their commercial-grade spyware, Pegasus.

Why it matters

There was quite a bit of controversy surrounding Pegasus when news of its existence came out. But it gives some insight into the level of sophistication these professionally developed tools can have, and the implications they have for people’s personal privacy and liberty.

While many jurisdictions have very strict controls on when tools like this can be used, and who they can be used against, we know that those restrictions don’t always apply. And even regions with noble ideals, that try to maintain high standards, can’t always live up to them.

What they said

After so much time spent lurking in the shadows, Pegasus is now front and center in the conversation. Read more here.

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel

About the Author

Mike Parkin

Mike brings to Vulcan over 20 years of experience in cyber security as a practitioner doing security operations, forensics, incident response, and tactical support, as well as research and penetration testing. For the last 10 years, he's worked in Cyber Security Technical Marketing, presenting complex technical concepts to a broad audience through videos, live presentations, webinars, and written media.

People also read

How to fix the zero day CVE-2022-22620 vulnerability

Read More >

SANS Cloud Security Survey 2022 – highlights

Read More >

5 Azure Security Tools You Should Know About

Read More >

CIS Benchmarks and system hardening: an introduction

Read More >

Microsoft zero day, More Musk drama, and more: first officer’s log – week 3

Read More >
< Back to Blog
Did you find this interesting? Share it with others: