case reports

Reports

These case reports give you insight into the kinds of vulnerabilities we found, the numbers and how we helped to fix them. If you want to be informed on our current research projects, check the cases page on the CSIRT site.


Report DIVD-2023-00007 - Global VMware ESXi Ransomware Attacks

25 May 2023, by Gerard Janssen

Worldwide ransomware attack on unpatched ESXi-servers.

Read more


Report DIVD-2022-00005 - Exposed BACnet Devices

20 May 2023, by Gerard Janssen

Exposed BACnet ports

Read more


Report DIVD-2021-00006 - SmarterMail

22 February 2023, by Gerard Janssen

DIVD researcher found multiple vulnerabilities in SmarterMail

Read more


Report DIVD-2022-00002 - Grafana

22 February 2023, by Gerard Janssen

Vulnerability in Grafana analytics tool

Read more


Report DIVD-2022-00033 - Confluence

16 January 2023, by Gerard Janssen

Critical zeroday in Atlassian Confluence management software

Read more


Report DIVD-2022-00014 - Greynoise’s Ukraine Only list

16 December 2022, by Gerard Janssen

Read more


Report DIVD-2022-00013 - Odd Microsoft Certificate

08 December 2022, by Gerard Janssen

DIVD researcher finds odd certificates

Read more


Report DIVD-2022-00032 - Exchange Backdoor

28 November 2022, by Gerard Janssen

Backdoor found in WinRS and Exchange Servers

Read more


Report DIVD-2022-00015 - GitLab GraphQL API User Enumeration

28 November 2022, by Gerard Janssen

Several vulnerabilities found in Gitlab

Read more


Report DIVD-2021-00017 - N-able

02 November 2022, by Gerard Janssen

DIVD researchers identified multiple zerodays in SolarWinds N-able N-central.

Read more


Report DIVD-2022-00009 - Solarman

12 October 2022, by Gerard Janssen

Backend ‘Super Administrator’ account for Solarman, producer of Photovoltaic-systems exposed.

Read more


Report DIVD-2022-00004 - Post-Log4j

04 August 2022, by Gerard Janssen

During the Log4J crisis Redis instances were used to exploit the Log4J vulnerability.

Read more


Report DIVD-2021-00039 - HPO-ILO

25 June 2022, by Gerard Janssen

Researchers of Iranian cybersecurity company AmnPardaz found a rootkit in HP iLO firmware, the first of its kind.

Read more


Report DIVD-2021-00021 - Qlik Sense Enterprise Domain User Enumeration

25 May 2022, by Gerard Janssen

DIVD discovered a timing attack vulnerability in Qlik Sense.

Read more


Report DIVD-2021-00038 - Apache Log4j2

05 April 2022, by Gerard Janssen

On Thursday, December 9th, a 0-day vulnerability in the popular Java logging library log4j (version 2) was discovered. This vulnerability can be used to do a Remote Code Execution (RCE) on servers using this logging tool.

Read more


Report DIVD-2021-00002 - KASEYA VSA, behind the scenes

04 April 2022, by Gerard Janssen

In April 2021 Dutch hackers found a number of vulnerabilities in software used by Kaseya, a business that makes tools for system managers working remotely. An enormous number of companies could be attacked through this vulnerability, from banks to transport companies and shop chains. The problem was nearly solved when Russian hackers also received wind of it. The result was a race between Dutch hackers and Russian criminals.

Read more


Report DIVD-2021-00036-vCenter Server Arbitrary File Read Vulnerability

19 February 2022, by Gerard Janssen

A bug in VMware vCenter software could lead to an attacker gaining access to sensitive information.

Read more


Report DIVD-2021-00010-vCenter Server Preauth RCE

19 February 2022, by Gerard Janssen

On 25 May 2021, VMware published an advisory – a recommendation – to install updates for the vSphere Web Client.

Read more


Report DIVD-2022-00006 - SAProuter

15 February 2022, by Joris van de Vis

SAProuters are software-defined routers that route traffic from and to SAP systems. A typical use-case is for SAP support to access your internal SAP systems from SAP HQ for remote support. The SAProuter routes traffic e.g., from the internet to internal resources (SAP systems). When not correctly secured, anyone from the internet can access internal resources. This, in turn, might lead to the exploitation of internal SAP resources that would otherwise not be possible in a direct manner.

Read more


Report DIVD-2020-00014 - Solarwinds Orion

28 January 2022, by Gerard Janssen

the DIVD scanned for vulnerable Solarwind Orion systems.

Read more


Report DIVD-2021-00002 - KASEYA VSA

02 December 2021, by Gerard Janssen

On March 23, DIVD researcher Wietse Boonstra found six zero-day vulnerabilities in IT management software from Kaseya, a Miami-based company. Kaseya VSA (Virtual Systems Administrator) is a remote software management tool that can be used to perform just about any system administration task like installing software, applying patches, adding users, or creating backups. It is a tool – mostly – Managed Service Providers (MSP’s) use to control the systems of their customers. By outsourcing the system administration, smaller organizations can save costs and focus on growing their business. In theory, MSPs also reduce security risk. But if this kind of software is compromised, many clients are at risk.

Read more


Report DIVD-2021-00005-Pulse Secure Preauth RCE

23 November 2021, by Gerard Janssen

Pulse Secure published an advisory in response to recently discovered critical vulnerabilities in the (VPN) product Pulse Connect Secure (PCS), version 9.0R3 and higher

Read more


Report DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw

19 November 2021, by Jeroen van de Weerd

We have received multiple lists of GitLab servers running a vulnerable version of GitLab from security researchers at Censys.io. An issue has been discovered in GitLab CE/EE. we have notified their administrators.

Read more


Report DIVD-2021-00012-Warehouse botnet

02 November 2021, by Chris van ‘t Hof

researcher Tom Wolters found a database with leaked credentials and together with DIVD he informed victims

Read more


Report DIVD-2021-00001 – Microsoft Exchange Server ProxyLogon

26 August 2021, by Gerard Janssen

In the beginning of 2021 various groups have been breaking into Microsoft Exchange servers using various zero-days, DIVD scanned for unpatched versions and warned more than 40,000 organizations.

Read more


Report DIVD-2020-00011 - Vembu BDR

01 August 2021, by Gerard Janssen

DIVD researcher Wietse Boonstra found four zero-day vulnerabilities in Vembu BDR Suite.

Read more


Report DIVD-2020-00005 – Apache Tomcat AJP

14 July 2021, by Gerard Janssen

A vulnerability was found in Apache Tomcat, nicknamed Ghostcat. The DIVD scanned the web for vulnerable systems and shared this information through non-public CERT channels.

Read more


Report DIVD-2020-00013 - Leaked Phishing Credentials

01 July 2021, by Joris van de Vis

an external researcher not tied to the DIVD informed us about leaked phishing credentials, the DIVD/DIVD CSIRT informed the victims of the phishing campaign after obtaining the information

Read more


Report DIVD-2020-00007 - Citrix ShareFile

01 July 2021, by Jeroen van de Weerd

On May 5, 2020, Citrix released a security advisory for the Citrix ShareFile product. The vulnerabilities allow an attacker to potentially compromise the storage zone controller and gain access to sensitive ShareFile documents and folders.

Read more


Report DIVD-2021-00004 - Leaked Phishing Credentials

07 June 2021, by Célistine Oosting

an external researcher not tied to the DIVD informed us about leaked phishing credentials, the DIVD/DIVD CSIRT informed the victims of the phishing campaign after obtaining the information

Read more


Report DIVD-2021-00003 - Facebook Leak

20 May 2021, by Chris van ‘t Hof

This is actually a non-report, but it demonstrates where we draw the boundaries on what we can and cannot do according to our code of conduct.

Read more


Report DIVD-2020-00012 - Scanning 49,577 Vulnerable Fortinet VPN Devices

12 May 2021, by Jeroen van de Weerd

A total of 34,830 notifications were sent to companies and agencies with vulnerable Fortinet VPN devices. We received some positive responses.

Read more


Report DIVD-2020-00010 - wpDiscuz Plugin Remote Code

12 May 2021, by Jeroen van de Weerd

DIVD researchers identified vulnerable wpDiscuz installations in the Netherlands and notified the system administrators.

Read more


Report DIVD-2020-00009 - Pulse Secure VPN enterprise Leak

11 May 2021, by Jeroen van de Weerd

A list of usernames and IP addresses of more than 900 Pulse Secure VPN enterprise servers was leaked online. Security researchers forwarded this list to DIVD who notified the victims.

Read more


Report DIVD-2020-00008 - 313 000 Wordpress sites scanned

08 April 2021, by Jeroen van de Weerd

DIVD received a list with all the Wordpress websites in the .nl space, 313 000 sites were scanned for vulnerabilities. Two different vulnerabilities were reported on.

Read more


Report DIVD-2020-00006 - SMBv3

08 April 2021, by Jeroen van de Weerd

A buffer overflow vulnerability in Kernel Address Space could be exploited with a specially crafted compressed file. DIVD warned that there was a serious threat, a worldwide scan showed there were 62.000 IP addresses with SMBv3.1.1. running and compression enabled. Microsoft published a patch, after the patch was released, it was not possible anymore to find vulnerable systems only by scanning, so no additional scans were performed.

Read more


Report DIVD-2020-00003 - Bluegate

29 January 2021, by Gerard Janssen

Microsoft published two patches for a vulnerability in Windows Remote Desktop Gateway. Microsoft researchers discovered that the RD Gateway had two memory corruption vulnerabilities (CVE-2020-0609 and CVE-2020-0610). DIVD found about 1.137 vulnerable Dutch systems and reported to the owners how to fix these.

Read more


Report DIVD-2020-00004 - Mirai Botnet Infections

25 January 2021, by Jeroen van de Weerd

On 20-01-2020, DIVD CSIRT received a list of IP addresses, usernames and passwords belonging to systems that may have been part of the Mirai botnet. We informed the affected users. After receiving no response, no further action was taken.

Read more


Report DIVD-2020-00002 - Wildcard certificates on Citrix

11 November 2020, by Jeroen van de Weerd

Further analysis of the data on the Citrix vunerability showed that more than 450 of the 700 identified vulnerable Citrix systems were using so-called wildcard certificates, which are TLS certificates that are valid for all subdomains within a domain.

Read more


Report DIVD-2020-00001 - Citrix

13 March 2020, by Chris van ‘t Hof

On December 17th Citrix published a vulnerability in Citrix Application Delivery Controller (ADC) products. These products are also known as NetScaler ADC, Citrix Gateway en Netscaler Gateway. Exploitation of the vulnerability allows an attack to execute arbirary command’s on these servers. DIVDs Security Hotline scaned the Dutch IP range and reported to the owners.

Read more