Recently, in the public domain appeared exploits for the critical vulnerability CVE-2019-19781, earlier found in the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Now it was reported that an unknown hacker accesses vulnerable Citrix servers and patches them.Recall that according to experts, this problem threatens 80,000 companies in 158 countries and allows hackers to seize devices.
In almost all cases, Citrix applications are available on the perimeter of a company’s network, which means they are most prone to attacks. Thus, the vulnerability allows an external unauthorized attacker not only gaining access to published applications, but also carrying out attacks from the Citrix server on other resources of the victim company’s internal network”, – report experts of Positive Technologies.
The bug is so serious that it is considered one of the most dangerous errors discovered in the latest years.
The main problem is that more than a month has passed since the vulnerability was discovered, but Citrix developers were in no hurry to release the patch. At first, the company limited itself to only safety recommendations, explaining to customers how to reduce risks, and the actual correction appeared only on January 19, 2020.
After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just it was expected, as many hackers hope to compromise some important goal – a corporate network, a state server, or a government agency.
FireEye experts warned that at least one of the many attackers is working under Tor and exhibits strange behavior: it deployes NotRobin payload on hacked servers.
NotRobin has two main goals. Firstly, it serves as a backdoor for a hacked Citrix device. Secondly, it is a kind of antivirus, removing another malware found in the system and thereby preventing leaving payload on this host. No additional malware was installed on infected servers besides NotRobin”, – say FireEye analysts.
FireEye researchers doubt that some kind Samaritan is behind these attacks. In their report, they write that the hacker, most likely, only collects access to vulnerable devices, “cleans them” and prepares for the next campaign
As at the same time image of Greta Tunberg helps other hackers to penetrate the network, it is unclear what or who is more cynical and dangerous.