Attackers locking down access to compromised systems, security vendors warn

UPDATED Citrix has released its first patches to defend against an already widely exploited security vulnerability, promising to release the rest ahead of schedule and before the end of the week.

The CVE-2019-19781 (AKA ‘Shitrix’) flaw – which affects Citrix Application Delivery Controller (ADC) and Gateway products – surfaced in mid-December.

Citrix initially responded by offering only advice on how to mitigate the vulnerability rather than making patches available.

Scanning for vulnerable systems began on January 8 followed, days later, by the development of exploits.

This prompted Citrix to promise patches on all supported versions of the vulnerable software before the end of January, as previously reported.

Patches for versions 11.1 and 12.0 of Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, were released on Monday with the rest due by January 24 – a week ahead of schedule.

Easy as ADC

Exploitation of the vulnerability is already widespread, and the fix may have come too late for some organizations, particularly those who, for whatever reason, have not as yet applied any mitigations.

One group of attackers are apparently locking down vulnerable Citrix servers in order to maintain exclusive access to compromised systems, using custom code dubbed ‘NOTROBIN’.

“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts,” security vendor FireEye reports.

“NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,” it warns.

Last week, independent security researcher Troy Mursch found that around 25,000 Citrix servers remain vulnerable at organizations ranging from government to hospitals and financial services firms.

Fox-IT’s recommendation (PDF) provide updated advice on remediating the vulnerability, attacks against which are growing in seriousness.

For example, threat response firm eSentire reports that the pattern of attacks exploiting the vulnerability has changed from opportunistic attempts to hijack vulnerable systems in order to run cryptocurrency mining towards more sophisticated attacks geared towards data exfiltration.

UPDATE (Nov 24; 09:30) Citrix has teamed up with FireEye to develop and release a tool that looks for signs of attack arising from attempts to exploit the CVE-2019-19781 vulnerability. The free scanning tool, released on Wednesday, is designed to help organizations to identify compromised systems.

Christopher Glyer, chief security architect at FireEye, explained: “The tool looks for both specific indicators of malware… as well as methodology indicators that should generically identify compromise.”


READ MORE Project Zero relaxes 90-day vulnerability disclosure deadline to boost patch adoption