Citrix Flaw Exploited by Ransomware Attackers

Reports have emerged of multiple attempts to exploit a Citrix vulnerability, delivering ransomware to enterprise victims including a German car manufacturer.

Citrix began patching the CVE-2019-19781 bug in its Application Delivery Controller (ADC) and Citrix Gateway products last week. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

At the time, FireEye warned that attackers were exploiting the flaw to deploy a backdoor, named “NotRobin,” in order to maintain access to exposed systems.

In an update, the security vendor claimed on Friday that it had detected efforts to deploy coin miners and ransomware via exploits for the vulnerability.

It traced attacks on dozens of FireEye customers back to ransomware named “Ragnarok,” which appears to have been created in mid-January. The ransom note demands 1 Bitcoin ($8600) to decrypt one infected machine or five ($43,002) for all.

“FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization,” it concluded.

“Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.”

As FireEye mentioned, there appear to be multiple groups looking to exploit the Citrix flaw in ransomware attacks.

Researchers took to Twitter to reveal efforts by attackers using the Sodinokibi variant, also known as REvil. Victims include German car parts manufacturer Gedia Automotive Group.

“I examined the files #REvil posted from Gedia after they refused to pay the #ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit,” explained @underthebreach. “My bet is that all recent targets were accessed via this exploit.”

The news comes after white hats pointed to a critical unpatched flaw in Pulse Secure VPN products as being behind the Travelex ransomware outage.

What’s Hot on Infosecurity Magazine?