Comprehensive software reviews to make better IT decisions
Citrix Systems Remain Vulnerable Despite Patching Attempts
A Citrix vulnerability first discovered on December 17, 2019 is being continually exploited by ransomware attackers despite patching attempts by Citrix. The Citrix vulnerability allows unauthenticated attackers to access a company’s local network remotely and run code through the connection. Since the public disclosure of the vulnerability, it has been exploited numerous times. In total there have been over 550,000 attacks recorded from over 42 different countries. Over 82% of the attacks – 455,000 in total – originate from Russia. If a system is successfully compromised, it allows for an unsolicited actor to perform arbitrary code execution. There has been a running trend for December and January of remote actors being able to execute arbitrary code.
Source: Citrix.com, Accessed January 2, 2020
The goal of attackers using the Citrix vulnerability is to implant coin miners, malware, or ransomware onto systems. Even more concerning is the malware – NotRobin – maintains backdoors to allow unfettered access to the compromised devices. In combination with a ransomware called Ragnarök, which demands 1 bitcoin (the equivalent to $8,600), the results can be devastating. Failure to comply could result in the deletion of held data or its public distribution. Ragnarök also can be manipulated to move laterally along the network to other connected machines, increasing the harm of the vulnerability exponentially for each device connected to the network.
Citrix has released what it’s calling a permanent fix for the vulnerability and is encouraging all Citrix users to download the patch. However, just because the device is no longer vulnerable, it does not mean that you have not been compromised already. Because of the backdoor, even with the Citrix patch installed attackers can still access your systems. As Craig Young, a computer security researcher for Tripwire Inc. said, “I fully expect that in the coming months we will learn about several organizations who were hacked last week but currently do not realize this.” The full extent of this vulnerability remains to be seen. Attackers will typically use this vulnerability to spread as far onto the network as they can before grifting data or implementing a ransomware attack.
Our Take
Any businesses currently using Citrix should immediately seek to update their systems to the latest patch. Even if you are sure that your business has yet to be infiltrated by Ragnarök or any other malicious software it is always better to remediate your vulnerabilities. If the backdoor has already been installed, you will prevent any new incursions from taking place. This is pertinent because attackers are actively looking for Citrix systems to exploit. So even if you have yet to come under attack, it is highly likely that you will be attacked in the future.
Companies will need to be vigilant for any suspicious activity over the next couple of months. Anything that seems suspicious should be examined. The Dutch National Cybersecurity Centre even recommends that companies should turn off Citrix until the problem is resolved. If you are unable to turn of Citrix for functional reasons, there are some other mitigation options. Because there is no perfect solution for the vulnerabilities within Citrix, it may be better to simply whitelist known IP addresses, limiting the potential to exposure. Additionally, blocking Citrix behind a firewall will allow you to filter access of the program. Thus, it will make it difficult for any attacker to navigate through your local network.
Want to Know More?
Develop and Implement a Security Incident Management Program