Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware.
Multiple sources in the infosec community are reporting about hacker groups using the CVE-2019-19781 vulnerability in Citrix appliances to breach corporate networks and then install ransomware.
Confirmed REvil infections
Ransomware infections traced back to hacked Citrix servers have been confirmed by security researchers at FireEye and Under the Breach.
The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.
"I examined the files the REvil gang posted online from Gedia.com after the company refused to pay the ransom demand," security researchers from Under the Breach said today.
"The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit."
Unconfirmed rumors also claim the Maze ransomware gang is also targeting Citrix servers, similar to the REvil gang.
However, attacking corporate servers fits perfectly with the modus operandi of the REvil gang. Previously, this same gang has also been exploiting vulnerabilities in Pulse Secure VPNs to breach corporate networks and install their ransomware.
Update: After this article's publication, FireEye also published a blog post detailing a third group using the Citrix bug to infect victims, but with the Ragnarok ransomware.
Citrix patches are now broadly available
All these attacks are taking place after hackers scan the internet for Citrix appliances that have not been secured against the CVE-2019-19781 vulnerability.
Vulnerable devices include the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP.
Earlier this week, Citrix and FireEye have also collaborated to build a tool that Citrix server owners can run and see if they're appliances have been hacked with the CVE-2019-19781 exploit, before applying a patch.
If the threat of getting infected with ransomware is not enough to scare some companies in applying the Citrix patches for CVE-2019-19781, then companies should also be aware that some criminals are currently hijacking Citrix servers and selling access to their networks on hacking forums, according to an image researchers from Under the Breach shared with ZDNet last week.