Cybersecurity Threat Advisory 001-20: Vulnerability in Two Citrix Devices (Updated Jan 30th 2020)
Threat actors are now exploiting this vulnerability to deploy ransomware on customers networks. Citrix has provided a patch for this vulnerability and SKOUT has seen successful exploitation of the vulnerability. Patching is not enough, researchers have found that threat actors have put in backdoors to ensure they have access after the appliance has been updated.
A vulnerability was been discovered in two Citrix Devices: Citrix Application Delivery Controller (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway). The vulnerability can allow for hackers to gain unauthorized access to a company’s local network.
Technical detail and additional information
What is the threat?
A vulnerability found in Citrix ADC and Gateways can allow attackers to directly access companies local network without the need of any access to accounts via a Citrix Server. Citrix products are generally used for connecting to applications, workstations and critical devices such as severs via remote access from a multitude of devices. If exploited, attackers can also launch denial of service or phishing attacks as well as download malware or launch cryptocurrency mining software on affected networks.
Why is this noteworthy?
This vulnerability is very noteworthy due to the widespread use of Citrix in corporate networks. Successfully exploited networks risk access and control to not only published applications, but also to devices on the internal network accessible from a vulnerable Citrix server. SKOUT Cybersecurity has seen multiple attempts to exploit this vulnerability across assets of monitored customers by updating threat feeds and Indicators of Compromise (IOCs) and has alerted affected customers if potential compromise was indicated with successful attacks seen in the world by other security researchers and organizations.
What is the exposure or risk?
Exploitation of the Citrix Vulnerability can allow attackers to have direct access to a company’s local network thus allowing them to view sensitive information such as the company’s credentials. Additionally, there have been at least three threat actor groups who have utilized these vulnerabilities to deploy different variants of ransomware onto exploited corporate networks. Attempts to exploit these vulnerabilities are widespread and any companies that have not patched yet should do so immediately to avoid potential compromise as attacks are continuously being seen with the number of successful attacks dropping as companies are patching their systems. In December, it was estimated over 80,000 systems were vulnerable, but as of all patches being released January 24th, the estimated number of unpatched systems dropped to 11,000.
What are the recommendations?
All affected devices have official patches or fixes available as of January 24th, 2020. It is strongly advised to apply all patches as soon as possible to avoid any further risk of exploitation. We also recommend contacting Citrix to ensure that the appliance has not been exploited already as researchers have found threat actors putting backdoors post exploitation. Upgrades and support are available to all businesses affected regardless of whether a maintenance contract with Citrix exists or not. Additional support is available through guides or by contact Citrix’s Support Center at https://www.citrix.com/support/.
For more in-depth information about the recommendations, please visit the following links: