Citrix released the final permanent fix for the actively exploited CVE-2019-19781 vulnerability, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.
“Today, we released the permanent fix for Citrix Application Delivery Controller (ADC) version 10.5 to address the CVE-2019-19781 vulnerability,” Citrix’s CISO Fermin J. Serna says.
“We have now released permanent fixes for all supported versions of ADC, Gateway, and SD-WAN WANOP.”
The fixes are available to all customers “regardless of whether they have an active maintenance contract with Citrix” and can be downloaded for ADC, Gateway, and SD-WAN instances.
Citrix strongly advises all customers to immediately install these permanent fixes to prevent attacks that could allow unauthenticated attackers to execute arbitrary code on unpatched servers.
Vulnerable Citrix appliances under ransomware attack
FireEye researchers recently found that an unknown threat actor is actively scanning for and patching Citrix ADC servers against CVE-2019-19781 exploitation attempts, while also deploying a new malware family dubbed NOTROBIN that drops a backdoor designed to maintain access to the compromised machines.
“FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,” the report says.
In a report published today, FireEye says that after tracking “extensive global exploitation of CVE-2019-19781” since January 10, “recent compromises suggest that this vulnerability is also being exploited to deploy ransomware.”
The fact that unpatched Citrix servers are being used by attackers as stepping stones to ransomware victims’ networks was also confirmed today on Twitter by Under the Breach and FireEye security researcher Andrew Thompson.
There are currently 10,787 vulnerable Citrix servers online according to a public spreadsheet shared by GDI Foundation researcher Victor Gevers, a drastic drop in numbers when compared to the initial 128,777 he was able to discover on December 31, 2019.
Two days ago, Citrix released a free scanner for detecting hacked Citrix ADC appliances in collaboration with FireEye which works by looking for CVE-2019-19781 indicators of compromise.
Proof-of-concept (PoC) exploits for CVE-2019-19781 were made public two days after scans for vulnerable Citrix servers were detected by security researchers on January 8.
Mass scanning for unpatched Citrix appliances is still ongoing as discovered by security firm Bad Packets yesterday.
Sodinokibi ransomware attacks
Building on FireEye’s disclosure that unpatched Citrix servers are used as initial points of compromise by ransomware gangs, Under the Breach was able to confirm that this tactic was used by the Sodinokibi ransomware operators in at least one such incident.
“I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware,” Under the Breach said referring to the recent Sodinokibi ransomware attack that hit GEDIA Automotive Group yesterday.
“The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit. My bet is that all recent targets were accessed via this exploit.”
The City of Potsdam also announced that it has to sever the administration servers’ Internet connection after a cyberattack from earlier this week.
While the City of Potsdam updates did not mention what was the method used by the attackers to infiltrate the city’s network, vulnerable Citrix ADC servers were discovered by German journalist Hanno Böckon on the administration’s network.
Böck said that the servers weren’t protected using mitigation measures or permanent fixes provided by Citrix.
Although there is no official statement tying the City of Potsdam cyberattack to a ransomware attack, all the signs suggest that this might be the case.