0-day And Hitlist Week -02-21-2024- Access

Going into the third week of February 2024, the industry hitlist evolved. While Log4j remains a background hum, the active "must-patch-now" list changed drastically.

Citrix Bleed refused to die. During the week of February 21, 2024, threat actors shifted from session hijacking to session token replay against federated identity providers. 0-day and Hitlist Week -02-21-2024-

| Phase | Action | Tool/Method | |-------|--------|--------------| | Detect | Scan for hits on exported hitlist IPs | Shodan, Censys, internal asset DB | | Block | Null route hitlist IPs at perimeter | Firewall ACL, BGP blackhole | | Investigate | Check if any internal system matches hitlist software versions | Qualys, Rapid7, custom PowerShell | | Remediate | If compromised → offline, reimage | Forensics image first, then wipe | | Report | Share anonymized hitlist hits with ISAC | Email threat intel team | Going into the third week of February 2024,