Citrix released the final permanent fix for the actively exploited CVE-2019-19781 vulnerability, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.
"Today, we released the permanent fix for Citrix Application Delivery Controller (ADC) version 10.5 to address the CVE-2019-19781 vulnerability," Citrix's CISO Fermin J. Serna says.
"We have now released permanent fixes for all supported versions of ADC, Gateway, and SD-WAN WANOP."
The fixes are available to all customers "regardless of whether they have an active maintenance contract with Citrix" and can be downloaded for ADC, Gateway, and SD-WAN instances.
Citrix strongly advises all customers to immediately install these permanent fixes to prevent attacks that could allow unauthenticated attackers to execute arbitrary code on unpatched servers.
Today, we released the permanent fix for #CitrixADC version 10.5 to address the #CVE201919781 vulnerability. We have now released permanent fixes for all supported versions of ADC, Gateway, and SD-WAN WANOP. These fixes are available to download now. https://t.co/7E8XeVchpF
— Citrix (@citrix) January 24, 2020
Vulnerable Citrix appliances under ransomware attack
FireEye researchers recently found that an unknown threat actor is actively scanning for and patching Citrix ADC servers against CVE-2019-19781 exploitation attempts, while also deploying a new malware family dubbed NOTROBIN that drops a backdoor designed to maintain access to the compromised machines.
"FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign," the report says.
In a report published today, FireEye says that after tracking "extensive global exploitation of CVE-2019-19781" since January 10, "recent compromises suggest that this vulnerability is also being exploited to deploy ransomware."
The threat actor observed by the researchers dropped a malicious binary with a January 16 timestamp that "may have been attempting to deploy ransomware aptly named ‘Ragnarok’."
This was confirmed by G DATA malware analyst Karsten Hahn in a tweet describing a malware sample found on VirusTotal and related to a Ragnarok infection.
The fact that unpatched Citrix servers are being used by attackers as stepping stones to ransomware victims' networks was also confirmed today on Twitter by Under the Breach and FireEye security researcher Andrew Thompson.
Very tactical preliminary update. It appears an actor is using CVE-2019-19781 for initial access, and other vulnerabilities to pivot into a Windows environment in order to deploy ransomware. If you haven't already begun mitigating, you really need to consider the ramifications.
— Andrew Thompson (@QW5kcmV3) January 23, 2020
There are currently 10,787 vulnerable Citrix servers online according to a public spreadsheet shared by GDI Foundation researcher Victor Gevers, a drastic drop in numbers when compared to the initial 128,777 he was able to discover on December 31, 2019.
Two days ago, Citrix released a free scanner for detecting hacked Citrix ADC appliances in collaboration with FireEye which works by looking for CVE-2019-19781 indicators of compromise.
Proof-of-concept (PoC) exploits for CVE-2019-19781 were made public two days after scans for vulnerable Citrix servers were detected by security researchers on January 8.
Mass scanning for unpatched Citrix appliances is still ongoing as discovered by security firm Bad Packets yesterday.
Sodinokibi ransomware attacks
Building on FireEye's disclosure that unpatched Citrix servers are used as initial points of compromise by ransomware gangs, Under the Breach was able to confirm that this tactic was used by the Sodinokibi ransomware operators in at least one such incident.
"I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware," Under the Breach said referring to the recent Sodinokibi ransomware attack that hit GEDIA Automotive Group yesterday.
"The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit. My bet is that all recent targets were accessed via this exploit."
I examined the files #REvil posted from https://t.co/3wfGoNUqp4 after they refused to pay the #ransomware.
— Under the Breach (@underthebreach) January 24, 2020
the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit
my bet is that all recent targets were accessed via this exploit.
(1/2) pic.twitter.com/tWeUR7I1zj
The City of Potsdam also announced that it has to sever the administration servers' Internet connection after a cyberattack from earlier this week.
While the City of Potsdam updates did not mention what was the method used by the attackers to infiltrate the city's network, vulnerable Citrix ADC servers were discovered by German journalist Hanno Böckon on the administration's network.
Böck said that the servers weren't protected using mitigation measures or permanent fixes provided by Citrix.
Although there is no official statement tying the City of Potsdam cyberattack to a ransomware attack, all the signs suggest that this might be the case.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now