Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

Citrix Flaw Exploited by Ransomware Attackers

Reports have emerged of multiple attempts to exploit a Citrix vulnerability, delivering ransomware to enterprise victims including a German car manufacturer.

Citrix began patching the CVE-2019-19781 bug in its Application Delivery Controller (ADC) and Citrix Gateway products last week. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

At the time, FireEye warned that attackers were exploiting the flaw to deploy a backdoor, named “NotRobin,” in order to maintain access to exposed systems.

In an update, the security vendor claimed on Friday that it had detected efforts to deploy coin miners and ransomware via exploits for the vulnerability.

It traced attacks on dozens of FireEye customers back to ransomware named “Ragnarok,” which appears to have been created in mid-January. The ransom note demands 1 Bitcoin ($8600) to decrypt one infected machine or five ($43,002) for all.

“FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization,” it concluded.

“Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.”

As FireEye mentioned, there appear to be multiple groups looking to exploit the Citrix flaw in ransomware attacks.

Researchers took to Twitter to reveal efforts by attackers using the Sodinokibi variant, also known as REvil. Victims include German car parts manufacturer Gedia Automotive Group.

“I examined the files #REvil posted from Gedia after they refused to pay the #ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit,” explained @underthebreach. “My bet is that all recent targets were accessed via this exploit.”

The news comes after white hats pointed to a critical unpatched flaw in Pulse Secure VPN products as being behind the Travelex ransomware outage.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

US Issues Cybersecurity Warnings Over Flawed Medical Devices

2
News

Over 2000 WordPress Sites Hit by Malicious Redirects

3
News

US County Suffers Two Cyber-attacks in Three Weeks

4
News

Ransomware Payments Doubled and Downtime Grew in Q4

5
News

Citrix Flaw Exploited by Ransomware Attackers

6
News

Zynga Breach Hit 173 Million Accounts

1
Interview

Interview: Shahrokh Shahidzadeh, CEO, Acceptto

2
News

Royal Yachting Association Resets Passwords After Breach

3
News

Chrome and Firefox Clamp Down on Suspicious Behavior

4
News

Citrix Flaw Exploited by Ransomware Attackers

5
Opinion

The Risk of Increase in Social Cyber Security in 2020

6
News

Russian Pleads Guilty to Running Online Criminal Marketplace

1
Webinar

Identifying and Defending Against Advanced and Automated Attacks

2
Webinar

Making a SOAR Strategy Work For You

3
Webinar

Strategies to Scale and Upskill Your Security Team

4
Webinar

New Year, New Decade, New Threats and Challenges

5
Webinar

Leveraging ISO 27001 to Manage Cyber & Information Security Risks

6
Webinar

2019 Cybersecurity Headlines in Review

1
Blog

How 2019’s Worst Corporate Hacks Could Have Been Prevented

2
Blog

Security by Sector: Travel and Hospitality Industries Extend Security-Sharing Community

3
Blog

How to Prevent Your Business Being Hacked

4
Interview

Interview: Timur Kovalev, Chief Technology Officer, Untangle

5
News Feature

Rolling Vulnerability and Patch Management into Detection and Response

6
Opinion

Do We Need More Cyber Hygiene?