Patch your Citrix servers before hackers install a patch that works as a backdoor

According to network security experts, attacks against Citrix deployments have grown considerably over the past few weeks, with corporate networks of major companies and Government institutions as hackers’ primary targets.

In this regard, a report recently published by FireEye mentions that, among all the disorder caused by this issue, the activity of a hacker with great capabilities stands out. Apparently, this threat actor has been attacking multiple Citrix servers from a Tor node using a payload tracked as “NotRobin”.

FireEye network security specialists mention that NotRobin has a dual function: first, this payload acts as a backdoor in compromised Citrix solutions. Subsequently, it adopts a function similar to that of an antivirus, eliminating any other malware sample detected on the attacked system to prevent any other payload from being delivered.

Researchers still have many doubts about the intentions of NotRobin operator, because after the infection is completed, not a single additional malware payload is delivered. However, FireEye believes that, although this actor is removing other malware variants from vulnerable systems, they are most likely accumulating access to vulnerable devices for a second stage of attack.

As recently reported, attacks against Citrix solutions have focused on exploiting CVE-2019-19781, a vulnerability in Citrix ADC, also known as Citrix NetScaler ADC or NetScaler Gateway. According to network security experts, there are at least three factors whereby this flaw is the most exploited today:

  • Extensive use of Citrix ADC and Citrix Gateway in enterprise environments, representing a large area of attack for threat actors
  • The ease with which the flaw is exploited, as no advanced hacking skills are required
  • The proof-of-concept code for this vulnerability was publicly disclosed a few days ago, so multiple hacker groups have been attacking various systems

Researchers at the International Institute of Cyber Security (IICS) believe that the company made some mistakes that contributed to the current state of the flaw. After receiving the vulnerability report a few months ago, the company began working on a fix. However, technical details about the vulnerability were leaked before Citrix had the update ready, so thousands of system administrators were exposed to exploitation.