Vulnerable Citrix Servers Targeted by Hackers Using Ransomware

A number of reports within the infosec community have warned companies that their Citrix servers might be flawed and that the flaw might result in a ransomware attack. The reports were also confirmed by security researchers from Under the Breach and FireEye.

Very tactical preliminary update. It appears an actor is using CVE-2019-19781 for initial access, and other vulnerabilities to pivot into a Windows environment in order to deploy ransomware. If you haven't already begun mitigating, you really need to consider the ramifications.

— Andrew Thompson (@anthomsec) January 23, 2020

According to the reports, unpatched Citrix servers have a CVE-2019-19781 vulnerability, which hackers are using to infect entire corporate networks with ransomware. It remains unknown how many hacking groups are currently conducting Citrix server attacks, but researchers managed to identify one of them as the REvil ransomware gang, also known as Sodinokibi.

I examined the files #REvil posted from https://t.co/3wfGoNUqp4 after they refused to pay the #ransomware.

the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit

my bet is that all recent targets were accessed via this exploit.

(1/2) pic.twitter.com/tWeUR7I1zj

— Alon Gal (Under the Breach) (@UnderTheBreach) January 24, 2020

Under the Breach’s researchers reported that they examined the files that REvil gang posted online after Gedia.com refused to pay the ransom. Researchers were able to confirm that the files indeed belong to Gedia, and that they managed to access them via the Citrix exploit. Some rumors claim that another group that is infecting these servers might be Maze ransomware gang, although no one was able to confirm them as of yet. However, FireEye discovered that there is also a third group that is using Ragnarok ransomware. Researchers explained that hackers are scanning the web for Citrix servers that did not implement patches for the CVE-2019-19781 flaw. These include two older versions of Citrix SD-WAN WANOP, Citrix Gateway, as well as Citrix ADC (Application Delivery Controller). The flaw was originally found and revealed in December 2019, and the attacks started two weeks ago, on January 11th, after the exploit was made publicly known. Unfortunately, the patches were not available right away, and Citrix recommended multiple mitigation techniques that server owners could try to use for protection. Unfortunately, companies either failed to apply them, or they did not work, and when the attacks finally started, numerous ransomware infections ended up being successful. Citrix finally started publishing patches yesterday, and it was reported that the patching is going well. The initial number of flawed servers was estimated at 80,000 in December, and 25.000 in mid-January. Two days ago, the number had dropped to 11,000 systems.

🎵 11,704 Citrix servers with CVE-2019-19781 on the net, 11,704 Citrix servers with CVE-2019-19781.
Patch 332 down, Mitigate it around, 11,372 Citrix servers with CVE-2019-19781 on the net… 🎵https://t.co/KKoUK9EUr6 pic.twitter.com/12L8PHOekV

— Victor Gevers (@0xDUDE) January 23, 2020

---

Images are courtesy of Twitter, Shutterstock, Pixabay.