A hacker is patching Citrix servers to maintain exclusive access

FireEye believes this is a bad guy hoarding Citrix servers, rather than a good-guy vigilante looking out for organizations.
Written by Catalin Cimpanu, Contributor

Attacks on Citrix appliances have intensified this week, and multiple threat actors have now joined in and are launching attacks in the hopes of compromising a high-value target, such as a corporate network, government server, or public institution.

In a report published today, FireEye says that among all the attack noise it's been keeping an eye on for the past week, it spotted one attacker that stuck out like a sore thumb.

This particular threat actor was attacking Citrix servers from behind a Tor node, and deploying a new payload the FireEye team named NotRobin.

FireEye says NotRobin had a dual purpose. First, it served as a backdoor into the breached Citrix appliance. Second, it worked similar to an antivirus by removing other malware found on the device and preventing other attackers from dropping new payloads on the vulnerable Citrix host.

It is unclear if the NotRobin attacker is a good guy or a bad guy, as there was no additional malware deployed on the compromised Citrix systems beyond the NotRobin payload.

However, FireEye experts are leaning toward the bad guy classification. In their report, they say they believe this actor may be "quietly collecting access to NetScaler devices for a subsequent campaign."

The Citrix bug and the patching fiasco

All the recent attacks against Citrix servers are exploiting CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway.

The CVE-2019-19781 vulnerability is one of today's most attacked security flaws, for three reasons.

First, the Citrix ADC and Citrix Gateway appliances are very popular in the enterprise sector, and provide attackers with a giant attack surface to go after. Second, the vulnerability is easy to exploit and requires very little technical skills. Third, proof-of-concept exploit code was published over the last weekend, which has lowered the entry bar for even more hacking groups.

Ever since the weekend, scans for vulnerable Citrix appliances, along with active exploitation attempts have gone through the roof.

Dutch government: Turn off Citrix systems until a patch is ready

For its part, Citrix dropped the ball big time when it came to handling this security flaw.

The company was notified of the issue last year, but by December, when Positive Technologies disclosed details about the bug on their blog, Citrix was caught with its pants down, without a patch ready for its customers.

Instead, Citrix published mitigation advice that Citrix appliance owners could apply and secure their servers. Unfortunately, this mitigation advice did not work as intended for all Citrix versions, some of which remained vulnerable to attacks.

Yesterday, the Dutch national cyber-security agency (NCSC) began advising companies and government agencies that run Citrix ADC or NetScaler Gateway servers to turn off systems until an official patch was ready, citing the "uncertainty about the effectiveness of the mitigation measures."

The Dutch NCSC may be a little sensitive on the Citrix issue as there have been at least two major security incidents in the country caused by hacked Citrix systems, one at the Ziekenhuis Leeuwarden hospital, and another on the network of the city of Zutphen. In both cases, the victims had to shut down their entire network for days to deal with the intrusion.

When ZDNet reached out Citrix for comment yesterday about the NCSC recommendation, Citrix stood by its mitigations.

"The mitigations we published cover all supported versions of our software and contain detailed steps designed to stop a potential attack across all known scenarios. But all steps must be followed," Citrix Chief Information Security Officer Fermin Serna told ZDNet.

"We continue to recommend that our customers apply the mitigation immediately - and the permanent fixes when they become available."

Citrix is expected to release patches for the CVE-2019-19781 vulnerability by the end of this month. In the meantime, Citrix appliance owners can either apply to Citrix temporary mitigations, or take the NCSC advice and shut down appliances until a permanent fix is ready.

17 ways the Internet of Things can go horribly wrong

Editorial standards