Sunny Myers on Breaking Barriers, Indigenous Empowerment, and Fostering Allyship

2023-11-28T11:55:40-05:00November 28, 2023|

New Program for Critical Infrastructure Cybersecurity


The Critical Infrastructure Protection Program

Cyber Florida at the University of South Florida, the state’s leading cybersecurity resource, is pleased to announce a new effort under the CyberSecureFlorida program: the Critical Infrastructure Protection (CIP) Program. Stemming from the success of the recently completed Critical Infrastructure Risk Assessment (CIRA) program funded by the Florida Legislature in 2022, the CIP program takes the next step to provide no-cost resources, tools, and guidance to Florida’s public and private critical infrastructure entities to help mitigate their cyberattack vulnerabilities.  

The CIP Program is intended to assist small and medium-sized enterprises and resource-constrained county and municipal government entities in implementing basic cybersecurity protocols and policies to achieve a fundamental cybersecurity posture. This comprehensive initiative is designed to fortify the cybersecurity resilience of public and private critical infrastructure across the state. 

In an era of increasing cyber threats, safeguarding critical infrastructure is paramount. The CyberSecureFlorida CIP program aims to empower organizations by providing high-quality cybersecurity resources, training, and support to defend against evolving cyber risks. Some of the new resources available include the following: 

  • A 20-question Entry-Level Assessment based on the most-reported weaknesses from the initial risk assessment program. The Entry-Level Assessment will help organizations immediately see how their cybersecurity protocols measure up in the high-risk areas. 
  • A Cybersecurity Incident Response Plan Template to help organizations think through and plan ahead for how to weather and recover from a cyber incident. 
  • A full, 156-question Risk Assessment that covers key cybersecurity protocols outlined in the NIST Cybersecurity Framework as well as ransomware readiness. Both this and the Entry-Level Assessment are provided by Idaho National Laboratory (INL) through a customized instance of their highly regarded Cyber Security Evaluation Tool (CSET)®. 

“CyberSecureFlorida: Critical Infrastructure Protection Program represents a significant step forward in our commitment to fortifying the cybersecurity defenses of government entities and critical infrastructure businesses,” said Bryan Langley, Lead Program Manager at Cyber Florida. “By fostering collaboration, offering targeted training, and leveraging the expertise of our cybersecurity professionals, we aim to elevate the cybersecurity resilience of these vital sectors,” he said. 

To learn more about the CyberSecureFlorida CIP program and how your organization can participate, please visit the program’s official webpage: For inquiries, please contact the program lead, Bryan Langley at  

2023-11-28T10:57:41-05:00November 20, 2023|

Kristin Demoranville — CEO and Founder of AnzenSage, defender of the food sector, and friend to primates

2023-11-16T12:09:32-05:00November 20, 2023|

Unauthenticated Remote Code Execution (RCE) Vulnerability Affecting NetScaler

I. Targeted Entities

  • NetScaler Users*

II. Introduction

This cyberattack has been targeting NetScaler application delivery controller (ADC) and NetScaler Gateway; tools that improve the delivery speed of applications to an end user and provides secure remote access to application and services, respectively. Threat actors exploited this vulnerabiltiy as a zero-day attack to drop a webshell. The webshell allowed the threat actors access to the victim’s active directory (AD) and collect and exfiltrate data.

III. Additional Background Information

In June 2023, threat actors exploited a public facing applications called NetScaler Application Delivery Controller and NeScaler Gateway. Threat actors implanted a webshell on the organization’s NetScaler ADC appliance, and then abused elevation controls to initilalize an exploit chain to a binary file to extract data.

The affected versions following this vulnerability are for Netscaler and Netscaler Gateway: 13.1 before 13.1-40.13. Intially, CVE-2023-3519 was CVE-2019-19781 that as discovered in December 2019 and it attracted signifcant attention due to its potential to be exploited for the same purpose as it is being seen (unauthneticated remote code execution). In the 2019-29781 CVE attackers would gain access through Citrix NetScaler server to exploit public facing applications such as Citrix ADC and gateway and we can see that happening in the 2023-3519 CVE as well.

According to NISTs’ CVSS Severity and Metrics the vulnerability has been rate the following:

Threat Actor Activity
Victim 1

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

Threat Actor Activity
Victim 2

Threat actors uploaded a PHP webshell *logouttm.php* [T1036.005], likely as part of their initial exploit chain, to */netscaler/ns_gui/vpn/. Within an hour of installing the webshell, the actors implanted an Executable and Linkable Format (ELF) binary pykeygen that set user unique identifier (UID) to root and executed /bin/sh [T1059.004] via setuid and execve syscall.* [T1106]. Note: A third party also observed threat actors use an ELF binary (named pip4) to execute /bin/sh via syscall and change the UID to root. pip4 was located at /var/python/bin.

With root level access, the actors used hands-on-keyboard for discovery. They queried the AD via ldapsearch for users, groups, and computers. They collected the data in gzipped text files renamed 1.css and 2.css and placed the files in /netscaler/ns_gui/vpn/ for exfiltration.

After exfiltrating the files, the actors deleted them from the system [T1070.004] as well as some access logs, error logs, and authentication logs [T1070.002]. The victim organization detected the intrusion and mitigated the activity but did not identify signs of additional malicious activity.

For command and control (C2), the actors appeared to use compromised pfSense devices [T1584]; the victim observed communications with two pfSense IP addresses indicating the actor was using them for multi-hop proxying C2 traffic [T1090.003].

Updated vulnerabilities affecting Netscaler ADC and Netscaler Gateway:

As of October 23rd, Cyber Florida recived updates regarding vulnerabilities affecting Netscaler ADC and Netscaler Gateway. The vulnerabilities in mention: CVE-2023-4966 and CVE 2023-4967 both place high in the CVSS score for severity, and should be mitigated immediately. CVE-2023-4966, a sensitive information disclosure vulnerability, allows attackers to get access to large amounts of data in memory at the end of a buffer. Frequently seen within this attack vector are efforts to gain unauthetnicated access to previous session tokens that allow attackers impersonate authenticated users and their escalate priveleges. CVE 2023-4967, although less critical than the first observed vulnerability, is still a severe vulnerability that can lead to a Denial of Service (D.O.S) attack and cause great harm to a company.

As of October 23rd, updated effected versions of Netscaler ADC and Netscaler Gateway are the following:

  • Netscaler ADC and Netscaler Gateway 14.1 before 14.1-8.50
  • Netscaler ADC and Netscaler Gateway 13.1 before 13.1-49.15
  • Netscaler ADC and Netscaler Gateway 13.0 before 13.0-92.19


  • T1190 – Exploit Public-Facing Applications
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Adversaries exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.
  • T1505.003 – Server Software Component: Web Shell
    Adversaries may backdoor web servers with web shells to establish persistent access to systems. The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.
  • T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid
    An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. As part of their initial exploit chain, the threat actors uploaded a TGZ file contain a setuid binary on the ADC appliance
  • T1036.008 – Masquerading: Masquerade File Type
    Adversaries may masquerade malicious payloads as legitimate files through changes to the payload’s formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. The threat actors exfiltrated data by uploading it as an image file to a web-accessible path.
  • T1018 – Remote System Discovery
    Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.The threat actors queried the AD for computers. The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.
  • T1016.001 – System Network Configuration Discovery: Internet Connection Discovery
    Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Networksegmentation controls prevented this activity.
  • T1046 – Network Service Discovery
    Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. The threat actors conducted SMB scanning on the organization’s subnet.
  • T1056.001 – Archive Collected Data: Archive via Utility
    Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.The threat actors encrypted discovery data collected via openssl in “tar ball.”
  • T1090.001 – Proxy: Internal Proxy
    Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion.The actors likely used a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).
  • T1531 – Account Access Removal
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. The threat actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users from logging in remotely (e.g., CLI).

VI. Recommendations

  • Install the relevant updated versions as soon as possible.
  • Check for files newer than the last installation.
  • Quarantine or take offline potentially affected hosts.
  • Provision new account credentials.
  • Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  • Apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.
  • Test and validate security controls to determine their performance against threat behaviors associeted with the MITRE ATT&CK in this advisory.

VII. IOCs (Indicators of Compromise)

IOC’s Affiliated with Citrix CVE-2023-3519 Exploitation

Third-party provide IP addresses afiliated with Citrix CVE-2023-3519

Third-party provided IOCs affiliated with Citrix CVE-2023-3519

Updated NetScaler ADC and NetScaler Gateway containing unathenticated buffer-related vulnerablities *10/23/2023*

VIII. References

Threat actors exploiting Citrix CVE-2023-3519 to Implant Webshells – CISA.

Enterprise Techniques. Mitre ATT&CK®. (n.d.).

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967. (2023, October 23).

Rapid. (n.d.). CVE-2023-4966: Exploitation of Citrix NetScaler Information Disclosure Vulnerability. Rapid7.,the%20end%20of%20a%20buffer.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Nahyan Jamil, Alessandro Lovadina, Ben Price, Erika Delvalle, Ariana Manrique, Yousef Blassy

2023-11-14T14:41:05-05:00November 14, 2023|

Florida SUS Dominate 2023 DOE’s CyberForce Competition

Florida State University Institutions Dominate 2023 Department of Energy’s CyberForce Competition

In an extraordinary display of cybersecurity prowess, State University System of Florida teams dominated the 2023 Department of Energy (DOE) CyberForce Competition on November 4 in St. Charles, IL. Out of 95 participating teams, Florida’s top institutions claimed four of the top five positions, showcasing the state’s exceptional talent and commitment to cyber education.

The final top standings are as follows:

1st place: UCF – A Team With A Dream: Achieving a third consecutive win, this marks the fourth National Championship in CyberForce for the UCF team, adding to their victories in 2018, 2021, and 2022.

3rd place: UF – Darth Gator: Securing an impressive third position, the UF team showcased their exceptional cyber skills.

4th place: UCF – St. Dominic College: A nod to the Q Center’s original name, St. Dominic College for Women, this UCF team claimed the fourth spot, maintaining a tradition of excellence.

5th Place: USF CyberHerd: The USF team rounded off the top five, demonstrating their dedication to cybersecurity and contributing to Florida’s dominance in the competition.

The annual DOE CyberForce Competition attracted nearly 600 students from elite schools across the nation, emphasizing the high level of competition. Florida State Universities, particularly UCF, UF, and USF, proved their mettle by claiming four of the top five positions, solidifying their reputation as leaders in cybersecurity education.

During the all-day CyberForce Competition, the teams faced real-world cybersecurity issues surrounding distributed energy resources (DERs), including constraints like budget and ensuring uninterrupted power access. The ninth iteration of the competition emphasized not just technical knowledge but innovation, adaptability, and effective communication. Participants had to maintain the system, create defenses on tight budgets, and work with virtual users. A Team with a Dream from the University of Central Florida demonstrated excellence in handling challenges to their mini electric grid despite the scenario’s realistic constraints and cyber-attacks.

“I want to congratulate A Team with a Dream from the University of Central Florida on their success in the U.S. Department of Energy’s 2023 CyberForce Competition,” said Puesh M. Kumar, Director of CESER. “The competition focused on ensuring the cybersecurity of clean energy systems and the students did an exceptional job in executing the challenge. It’s vitally important that we continue to promote cyber workforce development to help us defend the energy sector of today, and tomorrow.”

Through this competition, DOE sought to inspire and strengthen the next generation of cybersecurity professionals. Given the high demand for such experts, the CyberForce Competition plays an important role in preparing students for the field’s real-world challenges and demands. For many participants, it’s a steppingstone towards a career in creating a more secure digital world.

See the full press release from the DOE Office of Cybersecurity. To learn more about the DOE CyberForce competition, go to

2023-11-14T09:58:57-05:00November 14, 2023|

Pathways Playbooks

2023-11-06T10:07:35-05:00November 6, 2023|

Jessica Gulick — Founder and Commissioner of the US Cyber Games, CEO of the cyber marketing firm Katzcy, and someone who values perseverance over perfection

2023-10-26T12:33:43-04:00October 27, 2023|

Network Noise Incident Response Workshop: Pasco County

Join Cyber Florida Senior Fellow Stacy Arruda, Founder and CEO of the Arruda Group and former FBI Supervisory Special Agent, for an eye-opening experience that will help you better understand how to prevent and recover from cyberattacks. The event starts with Network Noise, a three-hour tabletop exercise where real-world cyberattack scenarios illustrate the far-reaching effects a cyberattack can inflict on your organization. Bring your leadership team to learn how cyberattacks impact not only IT but also legal, finance, operations, human resources, public relations, and other departments.

Once you understand the threat, move on to preparation with a session on creating a comprehensive cyber incident response plan specific to your organization. You’ll leave equipped with a template and foundational plan you can take back to complete and test with your organization.

This workshop is presented in partnership with the Pasco Sheriff’s Office.

Register Now

Please register in advance for this event using the form below. The registration deadline is December 10, 2023.

Venue & Directions

Forensic Institute for Research, Security, and Tactics
Innovation Building Classroom
10370 Charles Bo Harrison Way, Land O’ Lakes, FL 34637

2023-11-03T16:25:35-04:00October 24, 2023|

USSOCOM Innovation Foundry (IF14) Event

SOFWERX, in collaboration with USSOCOM’s Directorate of Science and Technology (S&T) Futures, will host the fourteenth Innovation Foundry (IF14) Event in Tampa, FL, which intends to bring together Special Operations Forces (SOF), industry, academia, national labs, government, and futurists in an exploration, design thinking, facilitated event to assist USSOCOM in decomposing future scenarios and missions.

Political, social, and technological developments will have an increasing impact on the future of world societies. Organizations, militaries, governments, and entire economies rely on complex digital infrastructures for their operations. The safety and reliability of these information systems are of significant concern to organizations around the world, while malicious actors seek to exploit vulnerabilities to achieve their ends. Because of this, cyber security has been a focus of increasing attention and will be of critical importance in the future operational environment.

The theme of IF14 is SOF Aspects of Cyber Security in 2035. The event seeks to explore the nature of cyber security operations and infrastructure in 2035 and SOF’s role in this environment.

Specific areas of interest include the growth of digital infrastructure for civilian and military systems; the impact of artificial intelligence technologies in the design, implementation, exploitation, and securing of information systems; the impact of innovative communications, networking, and control systems on future cyber infrastructure; advancements of quantum computing and encryption tools; as well as offensive and defensive approaches including prevention, pre-emption, detection, isolation, defeat, and the exploitation of digital vulnerabilities.

The event will be a compelling opportunity for leading minds in industry, academia, labs, and government, as well as subject matter experts (SMEs) to collaborate and ideate with other experts.

register now
2023-10-17T14:13:26-04:00October 17, 2023|

Red Dragon Rising: China in Cyberspace

As China seeks to advance its economic and military interests and challenge the US’s global leadership and influence, it increasingly turns to cyberspace to conduct malicious and disruptive activities against the US and its allies. China’s aggressive and sophisticated cyber operations include stealing sensitive data, intellectual property, and emerging technologies from various sectors, such as defense, health, education, and infrastructure. Now, China is positioning itself to disrupt or damage US critical infrastructure in the event of a geopolitical crisis or conflict. The government, military, private sector, and academia must cooperate to protect their networks and data from Chinese intrusion. This in-person summit will bring cybersecurity scholars, military and academic researchers, and senior military leaders together for a candid discussion of emerging Chinese threats and strategic response options in cyberspace.

Featuring keynote speaker Dr. Christopher Marsh from National Defense University’s College of International Security Affairs, the event will include two open-to-the-public panel discussions on different aspects of China’s maneuvers in cyberspace and conclude with a networking lunch.

This event is presented in partnership with the University of South Florida Global and National Security Institute as part of a new series titled, Fifth Domain: CYBR, to examine issues of modern cyberwarfare, bringing the work of academic scholars and researchers to the benefit of military leadership to help inform and guide strategic policymaking.

Note: Tickets must be purchased in advance.



2023-11-28T11:48:14-05:00October 16, 2023|