Patch your Citrix servers before hackers install a backdoor


According to network security experts, attacks against Citrix deployments have grown considerably over the past few weeks, with corporate networks of major companies and Government institutions as hackers’ primary targets.

In this regard, a report recently published by FireEye mentions that, among all the disorder caused by this issue, the activity of a hacker with great capabilities stands out. Apparently, this threat actor has been attacking multiple Citrix servers from a Tor node using a payload tracked as “NotRobin”.

FireEye network security specialists mention
that NotRobin has a dual function: first, this payload acts as a backdoor
in compromised Citrix solutions. Subsequently, it adopts a function similar to
that of an antivirus, eliminating any other malware sample detected on the
attacked system to prevent any other payload from being delivered.

Researchers still have many doubts about the intentions
of NotRobin operator, because after the infection is completed, not a single
additional malware payload is delivered. However, FireEye believes that,
although this actor is removing other malware variants from vulnerable systems,
they are most likely accumulating access to vulnerable devices for a second
stage of attack.

As recently reported, attacks against Citrix
solutions have focused on exploiting CVE-2019-19781, a vulnerability in Citrix
ADC, also known as Citrix NetScaler ADC or NetScaler Gateway. According to
network security experts, there are at least three factors whereby this flaw is
the most exploited today:

  • Extensive
    use of Citrix ADC and Citrix Gateway in enterprise environments, representing a
    large area of attack for threat actors
  • The
    ease with which the flaw is exploited, as no advanced hacking skills are
  • The
    proof-of-concept code for this vulnerability was publicly disclosed a few days
    ago, so multiple hacker groups have been attacking various systems

Researchers at the International Institute of Cyber
Security (IICS) believe that the company made some mistakes that contributed to
the current state of the flaw. After receiving the vulnerability report a few
months ago, the company began working on a fix. However, technical details
about the vulnerability were leaked before Citrix had the update ready, so
thousands of system administrators were exposed to exploitation.

Source link