Citrix over the last six days has been releasing firmware updates to fix CVE-2019-19781, a critical remote code execution vulnerability in its Citrix Application Delivery Controller, Citrix Gateway and SD-WAN WANOP products, which cybercriminals have actively exploited in an attempt to deliver ransomware, backdoors and coin miners.
The Fort Lauderdale, Fla.-based software company has now patched versions 11.1, 12.0, 12.1 and 13.0 of Citrix ADC and Citrix Gateway (formerly branded as NetScaler ADC and NetScaler Gateway), and expects to issue a fix for version 10.5 today.
Citrix also has issued releases 10.2.6 and 11.0.3 to repair the SD-WAN WANOP WAN Optimization solution, which comes with Citrix ADC packaged and was therefore also affected by the bug. These fixes apply to the SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms. (All other SD-WAN PE and SD-WAN SE platforms are not impacted by the vulnerability.)
Citrix has also issued a pair of helpful tools for its users, one that ensures the patch has been successfully applied and another that organizations can run on their Citrix instances to detect any indicators of compromise.
Citrix first publicly disclosed CVE-2019-17981 last Dec. 17 and recommended a series of temporary mitigations. But with fixes currently available, applying the patches is essential, considering that attackers are exploiting vulnerable Citrix servers.
Case in point: a cybercriminal gang responsible for infecting organizations with Sodinokibi (aka REvil) ransomware-as-a-service is claiming it has perpetrated an attack against German automobile manufacturer GEDIA Automotive Group. According to a report from ComputerWeekly, the group threatened on a Russian hacking forum to dox 50GB of sensitive data that was exfiltrated from GEDIA, unless it was paid its ransom demand within seven days. To back up its claims, the group reportedly posted files containing scans of the manufacturer’s Microsoft Active Directory.
A security researcher with Under the Breach tweeted yesterday that an analysis of the doxxed files indicates that GEDIA was compromised via the Citrix vulnerability, which some in the cyber research community has named Sh*trix. (Sodinokibi actors have also recently been using unpatched PulseSecure VPN servers as an attack vector.)
“I examined the files REvil posted from http://Gedia.com…” the tweet states. “…[T]hey obviously hacked Gedia via the Citrix exploit. My bet is that all recent targets were accessed via this exploit. It just goes to show how much impact a single exploit could have. Other files included invoices, data structures and a complete dump of the servers passwords. GDPR will go hard on these guys and this is exactly what REvil wants, the incentive to ransomware is truly alive!”
ComputerWeekly further reported that GEDIA had posted a notification on its website announcing that it was attacked by Eastern European actors, but later took the message down. “A massive cyberatack was carried out on the headquarters of the GEDIA Automotive Group in Attendorn, at the beginning of this week. After discovery and investigation, an immediate system shutdown was decided by the management. This action was taken to prevent a complete breakdown of the IT infrastructure,” the statement reportedly read.
GEDIA warned that the disrupted has “far reaching consequences for the entire GEDIA group because all locations are connected to the central IT structure,” and warned that it would take “weeks to months until full functional processes are completely restored.”
In the meantime, the GEDIA’s critical systems are still operating, and the company has enacted an emergency plan to continue production material supply and the processing of deliveries. Affected employees are now working with flextime hours.
SC Media has reached out to GEDIA for comment.
FireEye over the last week-and-a-half has issued two reports detailing attempted Sh*trix exploit activity. Just today, researchers Matt Bromiley, Christopher Glyer and Andrew Thompson reported that a ransomware actor was recently observed attempting to abuse CVE-2019-19781 in order to infect organizations with a ransomware called Ragnarok (the malicious encryption program was also detected by G DATA malware analyst Karsten Hahn).
A previous report posted on Jan. 16 described another actor’s campaign to use CVE-2019-19781 to compromise targets and infect the with a newly discovered backdoor program named NOTROBIN. Oddly the actors first used their unauthorized access to clear up any other malware infections and block any other adversaries from exploiting the same vulnerability. But their actions were not entirely altruistic: they still maintained their own backdoor that can be used at a later time if a secret passphrase is entered.