Reports
These case reports give you insight into the kinds of vulnerabilities we found, the numbers and how we helped to fix them. If you want to be informed on our current research projects, check the CSIRT page.
REPORT - DIVD-2022-00004 - Post-Log4j
03 August 2022, by Gerard Janssen
During the Log4J crisis Redis instances were used to exploit the Log4J vulnerability.
Report DIVD-2022-00006 - SAProuter
15 February 2022, by Joris van de Vis
The DIVD scanned for vulnerable SAProuters and warned the network owners
Report DIVD-2021–00039 - HPO-ILO
25 June 2022, by Gerard Janssen
Researchers of Iranian cybersecurity company AmnPardaz found a rootkit in HP iLO firmware, the first of its kind.
Report DIVD-2021-00038 - Apache Log4j2
05 April 2022, by Gerard Janssen
On Thursday, December 9th, a 0-day vulnerability in the popular Java logging library log4j (version 2) was discovered. This vulnerability can be used to do a Remote Code Execution (RCE) on servers using this logging tool.
Report DIVD-2021-00036-vCenter Server Arbitrary File Read Vulnerability
19 February 2022, by Gerard Janssen
A bug in VMware vCenter software could lead to an attacker gaining access to sensitive information.
Report DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw
19 November 2021, by Jeroen van de Weerd
We have received multiple lists of GitLab servers running a vulnerable version of GitLab from security researchers at Censys.io. An issue has been discovered in GitLab CE/EE. we have notified their administrators.
Report DIVD-2021-00021 - Qlik Sense Enterprise Domain User Enumeration
25 May 2022, by Gerard Janssen
DIVD discovered a timing attack vulnerability in Qlik Sense.
Report DIVD-2021-00012-Warehouse botnet
02 November 2021, by Chris van ‘t Hof
researcher Tom Wolters found a database with leaked credentials and together with DIVD he informed victims
Report DIVD-2020–00011 Vembu BDR
01 August 2021, by Gerard Janssen
DIVD researcher Wietse Boonstra found four zero-day vulnerabilities in Vembu BDR Suite.
Report DIVD-2021-00010-vCenter Server Preauth RCE
19 February 2022, by Gerard Janssen
On 25 May 2021, VMware published an advisory – a recommendation – to install updates for the vSphere Web Client.
Report DIVD-2021-00005-Pulse Secure Preauth RCE
23 November 2021, by Gerard Janssen
Pulse Secure published an advisory in response to recently discovered critical vulnerabilities in the (VPN) product Pulse Connect Secure (PCS), version 9.0R3 and higher
Report DIVD-2021-00004 - Leaked Phishing Credentials
07 June 2021, by Célistine Oosting
an external researcher not tied to the DIVD informed us about leaked phishing credentials, the DIVD/DIVD CSIRT informed the victims of the phishing campaign after obtaining the information
Report DIVD-2021-00003- Facebook Leak
20 May 2021, by Chris van ‘t Hof
This is actually a non-report, but it demonstrates where we draw the boundaries on what we can and cannot do according to our code of conduct.
Report DIVD-2021-00002 - KASEYA VSA
02 December 2021, by Gerard Janssen
Report DIVD-2021-00002 - KASEYA VSA, behind the scenes
04 April 2022, by Gerard Janssen
Report DIVD-2021-00001– Microsoft Exchange Server ProxyLogon
26 August 2021, by Gerard Janssen
In the beginning of 2021 various groups have been breaking into Microsoft Exchange servers using various zero-days, DIVD scanned for unpatched versions and warned more than 40,000 organizations.
Report DIVD-2020-00014 - Solarwinds Orion
28 January 2022, by Gerard Janssen
the DIVD scanned for vulnerable Solarwind Orion systems.
Report DIVD-2020-00013 - Leaked Phishing Credentials
01 July 2021, by Joris van de Vis
an external researcher not tied to the DIVD informed us about leaked phishing credentials, the DIVD/DIVD CSIRT informed the victims of the phishing campaign after obtaining the information
Report DIVD-2020-00012 - Scanning 49,577 Vulnerable Fortinet VPN Devices
12 May 2021, by Jeroen van de Weerd
A total of 34,830 notifications were sent to companies and agencies with vulnerable Fortinet VPN devices. We received some positive responses.
Report DIVD-2020-00010 - wpDiscuz Plugin Remote Code
12 May 2021, by Jeroen van de Weerd
DIVD researchers identified vulnerable wpDiscuz installations in the Netherlands and notified the system administrators.
Report DIVD-2020-00009 - Pulse Secure VPN enterprise Leak
11 May 2021, by Jeroen van de Weerd
A list of usernames and IP addresses of more than 900 Pulse Secure VPN enterprise servers was leaked online. Security researchers forwarded this list to DIVD who notified the victims.
2020-00008-313 000 Wordpress sites scanned
08 April 2021, by Jeroen van de Weerd
DIVD received a list with all the Wordpress websites in the .nl space, 313 000 sites were scanned for vulnerabilities. Two different vulnerabilities were reported on.
Report DIVD-2020-00007 Citrix ShareFile
01 July 2021, by Jeroen van de Weerd
On May 5, 2020, Citrix released a security advisory for the Citrix ShareFile product. The vulnerabilities allow an attacker to potentially compromise the storage zone controller and gain access to sensitive ShareFile documents and folders.
2020-00006-SMBv3
08 April 2021, by Jeroen van de Weerd
A buffer overflow vulnerability in Kernel Address Space could be exploited with a specially crafted compressed file. DIVD warned that there was a serious threat, a worldwide scan showed there were 62.000 IP addresses with SMBv3.1.1. running and compression enabled. Microsoft published a patch, after the patch was released, it was not possible anymore to find vulnerable systems only by scanning, so no additional scans were performed.
Report DIVD-2020-00005– Apache Tomcat AJP
14 July 2021, by Gerard Janssen
A vulnerability was found in Apache Tomcat, nicknamed Ghostcat. The DIVD scanned the web for vulnerable systems and shared this information through non-public CERT channels.
2020-00004-Mirai Botnet Infections
25 January 2021, by Jeroen van de Weerd
On 20-01-2020, DIVD CSIRT received a list of IP addresses, usernames and passwords belonging to systems that may have been part of the Mirai botnet. We informed the affected users. After receiving no response, no further action was taken.
2020-00003-Bluegate
29 January 2021, by Gerard Janssen
Microsoft published two patches for a vulnerability in Windows Remote Desktop Gateway. Microsoft researchers discovered that the RD Gateway had two memory corruption vulnerabilities (CVE-2020-0609 and CVE-2020-0610). DIVD found about 1.137 vulnerable Dutch systems and reported to the owners how to fix these.
2020-00002-Wildcard certificates on Citrix
11 November 2020, by Jeroen van de Weerd
Further analysis of the data on the Citrix vunerability showed that more than 450 of the 700 identified vulnerable Citrix systems were using so-called wildcard certificates, which are TLS certificates that are valid for all subdomains within a domain.
2020-00001-Citrix
13 March 2020, by Chris van ‘t Hof
On December 17th Citrix published a vulnerability in Citrix Application Delivery Controller (ADC) products. These products are also known as NetScaler ADC, Citrix Gateway en Netscaler Gateway. Exploitation of the vulnerability allows an attack to execute arbirary command’s on these servers. DIVDs Security Hotline scaned the Dutch IP range and reported to the owners.