Gonçalo Ribeiro

@goncalor@infosec.exchange
342 Followers
446 Following
3.4K Posts
Defend. Pwn. Infosec. Free software. Vim nerd. #rustlang #electronics
websitehttps://goncalor.com
GitHubhttps://github.com/goncalor
Gonçalo Ribeiro2h ago
Javier Jimenez Shaw7h ago

At the Comedy Wildlife exhibition in Madrid.

https://www.mncn.csic.es/es/visita-el-mncn/exposiciones/comedy-wildlife-premios-de-fotografia

#wildlife #photography

Gonçalo Ribeiro3h ago
daniel:// stenberg://3h ago

> AI assistance was used to help structure and format this vulnerability report.

That was a really stupid idea.

Gonçalo Ribeiro8h ago
The Wee Owl Art9h ago

Edinburgh Castle stands on Castle Rock, which has been occupied by humans since at least the Iron Age.
https://theweeowlart.etsy.com/listing/1886833786

#FediGiftShop #ScottishArtist #MastoArt #CreativeToots
#Landscape #Edinburgh #Scotland #OriginalArt #Drawing #PenAndInk #ColourPencil #MixedMedia #Painting #Artwork #TraditionalArtist #ArtFromScotland #GiftIdeas #ArtShop

Gonçalo Ribeiro18h ago
vascorsd1d ago

Faking a JPEG | Lobsters

https://lobste.rs/s/s6yydx/faking_jpeg

Faking a JPEG | Lobsters

Gonçalo Ribeiro20h ago
Kevin McShane23h ago
This is so dumb i'm sorry
--
#comics #kevincomics #hbo #hbomax
Gonçalo Ribeiro1d ago
JayeLTee1d ago

I received an email earlier this week from EA asking if I wanted to be added to a public acknowledgement page they were creating for individuals who responsibly disclosed vulnerabilities to them.

For all the shit people give EA, of the 100+ companies I contacted in the last two years, they were the only company I would say had a decent incident response.

They fixed the issue within 12 hours after validating it as critical, and proactively provided me multiple updates over time.

When the IR was done on their side, they reached out again with some more information about the potential impact if the issue hadn't been solved quickly, and also offered me a reward.

I did not have to keep chasing anyone for updates, I wasn't asked for non-disclosure, or offered money in exchange for it, and people replied instead of ignoring me.

I wasn't blamed for their mistake, either, or reported to the authorities.

Unfortunately, at least one or multiple of the things mentioned above are present in most of my other incidents reported; it's a real shit show out there.

#cybersecurity #infosec #responsibledisclosure #vulnerability #ea #electronicarts

Gonçalo Ribeiro2d ago
Secure ICS OT 2d ago
Gonçalo Ribeiro2d ago
Kyle Ford2d ago
Gonçalo Ribeiro2d ago
Marcus Hutchins 2d ago
A programming fact that still amazes me is that the HTTP header which containers the referring url is called "referer", because the developer spelt "referrer" wrong and the spell checker didn't catch it, so it made it into the official standards and they just never changed it lmao
Show threadGonçalo Ribeiro2d ago
@vincedmonroy an alien, uh?
×
Show threadKevin Beaumont6d ago

Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.

"Not the most novel thing in the world… but this is much much worse than it initially appears. Take a look at the following video where you’ll see that it’s possible to receive legitimate user session tokens via this vector. "

Show threadKevin Beaumont5d ago

Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.

64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2

HT @ntkramer and the folks at @greynoise

Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30

GreyNoise Visualizer | GreyNoise Visualizer

Show threadKevin Beaumont5d ago
More from @greynoise telemetry - they now push CVE-2025-5777 (CitrixBleed 2) exploitation to June 23rd. I can push it back further, blog incoming.
Show threadKevin Beaumont5d ago

I wrote up a thing on how to hunt for CitrixBleed 2 exploitation

https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

CitrixBleed 2 exploitation started mid-June — how to spot it

CitrixBleed 2 — CVE-2025–5777 — has been under active exploitation to hijack Netscaler sessions, bypassing MFA, globally for a month. I wrote this about the vulnerability back on June 24th…

DoublePulsar
Show threadKevin Beaumont4d ago
There’s 7 more IPs on GreyNoise exploiting CitrixBleed 2 today, all marked as malicious. https://viz.greynoise.io/query/tags:%22CitrixBleed%202%20CVE-2025-5777%20Attempt%22%20last_seen:90d
Show threadKevin Beaumont4d ago

“Citrix declined to say if it's aware of active exploitation”

It is aware. https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

Exploits allow hackers to bypass 2FA and commandeer vulnerable devices.

Ars Technica
Show threadKevin Beaumont4d ago

I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.

They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.

The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.

Tell anybody you know at Citrix.

Show threadKevin Beaumont2d ago
CISA have modified the CVE-2025-5777 entry to link to my blog 🙌 I’m hoping this gets more visibility as a bunch of us can see from Netflow ongoing threat actor Netscaler sessions to.. sensitive orgs.
Show threadKevin Beaumont2d ago

CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.

Citrix are still declining to comment about evidence of exploitation as of writing.

https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog

Show threadKevin Beaumont2d ago
https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
Now everybody but Citrix agrees that CitrixBleed 2 is under exploit

: Add CISA to the list

The Register
Show threadKevin Beaumont2d ago

This is how Citrix are styling Citrix Bleed 2 btw. In the blog there’s no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.

From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.

Show threadKevin Beaumont2d ago
Show threadKevin Beaumont2d ago

Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.

38.154.237.100
38.54.59.96

#threatintel

Show threadKevin Beaumont2d ago
Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
scanning/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt at main · GossiTheDog/scanning

Contribute to GossiTheDog/scanning development by creating an account on GitHub.

GitHub
Show threadKevin Beaumont2d ago

CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.

https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2

CISA orders agencies to immediately patch Citrix Bleed 2, saying bug poses ‘unacceptable risk’

The one-day deadline issued by CISA on Thursday appears to be the shortest one ever issued. Federal civilian agencies are typically given three weeks to patch bugs added to the known exploited vulnerability catalog.

Show threadKevin Beaumont2d ago

Set up lab of Netscalers just now & owned them.

Two learnings:

1) the default logging isn’t enough to know if you’ve been exploited. So if you’re wondering where the victims are, they don’t know they’re victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.

2) the Citrix instructions post patch to clear sessions don’t include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.

Show threadKevin Beaumont2d ago
If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - they’ve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.
Show threadKevin Beaumont22h ago

Updated CitrixBleed 2 scan results: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

It's down from 24% unpatched to 17% unpatched

The results are partial still, the actual numbers still vuln will be higher.

scanning/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt at main · GossiTheDog/scanning

Contribute to GossiTheDog/scanning development by creating an account on GitHub.

GitHub
Show threadKevin Beaumont2h ago

Imperva WAF have added detection and blocking for CitrixBleed 2 this weekend.

They see it being widely sprayed across the internet today - almost 12 million requests, log4shell level.

The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability.

Show threadM Schommer2d ago
@GossiTheDog
So… could there possibly exist another Citrix 0day that this script looks for?
Right script, different CVE? :D
Show threadgmmds1d ago
@musevg @GossiTheDog Well we haven’t seen anything yet about 2025-6543… and that was supposed to be the scary one!
Show threadChad Brigance1d ago
@GossiTheDog this one is for CVE-2025-6543
Show threadKevin Beaumont1d ago
@definity yea, support are getting confused and sending that one for CVE-2025-5777
Show threadtehfishman1d ago
@GossiTheDog @definity going to buy stock in clown makeup before the news reports the sudden spike in demand.
Show threadDarses1d ago
@GossiTheDog Looks like the two-digit billion dollar corp that closed my report as "informative, we don't see the issue here" still hasn't updated yet.
Show threadMr_K1d ago
@GossiTheDog is this scan still running or has it now completed?
Show threadJoão Tiago Rebelo (NAFO J-121)2d ago
@GossiTheDog #Alt4You #AltText two screen captures from Citrix website, the other one from Akamai website. The first one says:
"Can I fix these vulnerabilities using Web Application Firewall signatures?
No, it is not possible to fix the vulnerabilities with Web Application Firewall signatures.
The second one, posted later, says:
"App & API Protector mitigation
In response to CitrixBleed 2, the WAF Threat Research Team released a new Rapid Rule on July 7, 2025, with a default action set to "Alert":
- 3000967-Citrix NetScaler Memory Disclosure Detected (CVE-2025-5777)".
Show threadgmmds2d ago
@jt_rebelo @GossiTheDog The second one isn’t Citrix - that’s Akamai.
Show threadJoão Tiago Rebelo (NAFO J-121)2d ago
@gmmds thanks, corrected. @GossiTheDog
Show threadfuzzyfuzzyfungus2d ago

@GossiTheDog The great thing about "as far as I know"/"not as far as I know" class statements, unlike almost all other types of statements, is that you can increase their accuracy through the easy work of knowing less rather than the arduous task of knowing more.

It's epistemology's any% speedrun strat.

Show threadSteve Scott2d ago

@GossiTheDog this feels very much like a corp Comms team in crisis management mode, thinking obfuscation will make the situation better. It's a natural reaction, but not one that helps mitigation.

A brutally honest 'we screwed up, here is what we can share without making the situation worse' along with some willingness to offer hotfixes rather than full releases is the better path forward.

On the plus side, I did get to read their latest Tolly report for lolz

Show threadWouter Hindriks2d ago
@GossiTheDog How are you monitoring this traffic? I remember you making a similar statement on the Ingram Micro case.
Show threadLong Shot2d ago
@GossiTheDog They must be thinking it is gossip...
Show threadChilly  🛡️ 2d ago
@GossiTheDog
Yaayy
Show threadPhil2d ago
@GossiTheDog Congratulations
Show threadEmory3d ago
@GossiTheDog oh my g-d they did it again
Show threadfuzzyfuzzyfungus3d ago
@GossiTheDog Obviously this is a Ripley Protocol type of situation; but is it known how long the session cookies would be expected to remain valid if not explicitly purged? Configurable and wide variation in plausible values? Life of connection until manual or enforced disconnect? Fixed or very likely default number of minutes after successful authentication?
Show threadCatButtes 4d ago
@GossiTheDog does anybody hear that statement and think anything other than “Citrix is aware that there is widespread, active exploitation. They just don’t want to admit it because it makes them look bad”?
Show threadroot4d ago
@catbuttes @GossiTheDog but that's the beauty of it - they don't SAY it, so they legally don't admit to it, and everything else, however silly or dirty, is third party conjecture which doesn't matter in court 🤔
Show threadjaKa Močnik4d ago
@GossiTheDog well, they already stated it in the sentence above. :D
Show threadTheTomas4d ago

@GossiTheDog First Victims in Switzerland and Germany

https://www.borncity.com/blog/2025/07/09/it-ausfall-bei-ameos-klinikverbund-folge-eines-cyberangriffs/

Ameos-Klinikverbund: IT-Ausfall Folge eines Hacker-/Cyberangriffs

Ich kann nun eine weitere Informationen zu den IT-Ausfällen bei Ameos-Kliniken und Einrichtungen beitragen. Nachdem ich über die IT-Probleme berichtete, hat sich die Ameos-Gruppe aus der Schweiz auf…

Borns IT- und Windows-Blog
Show threadKevin Beaumont3d ago
@TheTomas I don't see any evidence either of those are CitrixBleed2 caused, for what it's worth. One appears to be a power outage, the other has an unpatched Netscaler but it's still online
Show threadJérôme Meyer2d ago

@GossiTheDog I had a look at network traffic from today and some of them are proxy exit nodes; some do broad IoT scanning.

Two of them really stick out as they seem to exclusively target Citrix endpoints: 78.128.113.30 and 38.54.59.96

Show threadKevin Beaumont2d ago

@jmeyer worth running these too:

https://cyberplace.social/@GossiTheDog/114814327982204926

Kevin Beaumont (@GossiTheDog@cyberplace.social)

Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first. 64.176.50.109 139.162.47.194 38.154.237.100 38.180.148.215 102.129.235.108 121.237.80.241 45.135.232.2 HT @ntkramer@infosec.exchange and the folks at @greynoise@infosec.exchange Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30

Cyberplace
Show threadJérôme Meyer2d ago
@GossiTheDog 38.154.237.100 is a definite yes (I looked at past 24h)
Show threadKetumbra5d ago
@GossiTheDog "I wrote this vuln back on June 24th..."
Pretty sure that's not what you meant ;)
Show threadKevin Beaumont5d ago
@ketumbra lols, good spot - fixed
Show threadJJ4d ago

@GossiTheDog Thanks so much for this info and for all the info provided prior to this. I was able to confirm with our Citrix team two weeks ago that we were patched already, and I'm just getting emails this week from higher ups to look into this, so I'm very much ahead of the game.

Aside from social media, is there anywhere you suggest keeping an eye on daily for vulnerability info?

Show threadMartin S 🚩❤️✊ 🇵🇸🇺🇦5d ago
@GossiTheDog @greynoise 
Show threadLowlands5d ago
@GossiTheDog seeing the first hits from one of the mentioned IPs on 6/20.
Show threadKevin Beaumont5d ago
@lowlands which IP?
Show threadLowlands5d ago
@GossiTheDog 64[.]176[.]50[.]109
Show threadKevin Beaumont5d ago
@lowlands ah yep. They did fingerprinting of Netscaler firmware versions, then exploited unpatched boxes afterwards
Show threadDarses5d ago

@GossiTheDog @ntkramer @greynoise

My own honeypot only sees activity from Private VPN. No fingerprinting first. Most POST /p/u/doAuthentication.do, some POST /nf/auth/doAuthentication.do. User-Agent: "Vuln3rableVuln3rable..."

2025-07-07
190.60.16.26
103.27.203.82
45.9.249.58
185.94.192.162
128.1.160.146
200.110.153.22

2025-07-06
193.37.253.202
200.110.153.22
217.138.222.66
82.221.113.209
80.239.140.197

Show threadEmory6d ago
@GossiTheDog was CitrixBleed the one that Citrix issued a patch for that didn't actually fix the vulnerability in like Nov 2023?