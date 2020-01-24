Companies that still use unpaired Citrix servers run the risk of ransomware infecting their networks.

Multiple sources in the infosec community report about hacker groups that use the CVE-2019-19781 vulnerability in Citrix devices to break corporate networks and then install ransomware.

Confirmed REvil infections

Ransomware infections traceable on hacked Citrix servers have been confirmed by FireEye and Under the Breach security investigators.

The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.

“I investigated the files that the REvil gang posted online from Gedia.com after the company refused to pay the ransom demand,” said Under the Breach security investigators today.

“The interesting thing I discovered is that they clearly hacked Gedia through the Citrix exploit.”

Image: Under the Breach

Unconfirmed rumors also claim that the Maze ransomware gang is also targeting Citrix servers, similar to the REvil gang.

Attacking business servers, however, fit perfectly into the modus operandi of the REvil gang. Previously, this same gang also exploited vulnerabilities in Pulse Secure VPNs to break corporate networks and install their ransomware.

Updating: After the publication of this article, FireEye also published a blog post describing a third group that used the Citrix bug to infect victims, but with the Ragnarok ransomware.

Citrix patches are now widely available

All these attacks occur after hackers have scanned the internet on Citrix devices that are not protected against the CVE-2019-19781 vulnerability.

Vulnerable devices are the Citrix Application Delivery Controller (ADC), Citrix Gateway and two older versions of Citrix SD-WAN WANOP.

The vulnerability was announced mid December; Internet attacks, however, started after January 11, when proof-of-concept exploit code was published online and became widely available to everyone.

Initially, patches were not available for the CVE-2019-19781 vulnerability. Instead, Citrix recommended a series of mitigations that server owners could apply and secure.

These mitigations did not always work, or many companies have not applied them. With the wide availability of proof-of-concept code, attacks on Citrix servers have been rampant in recent weeks.

The good news is that Citrix finished publishing patches for all vulnerable versions earlier today, meaning that companies can apply a permanent fix to their servers by updating to the latest version of the Citrix firmware.

Patching is going well

Currently, the patching process seems to be going well. In December the number of vulnerable systems was estimated at 80,000 servers, a number that dropped to around 25,000 in mid-January and has fallen to around 11,000 since yesterday.

Earlier this week, Citrix and FireEye also worked together to build a tool that Citrix server owners can run and see if their devices have been hacked with the CVE-2019-19781 exploit before applying a patch.

If the threat of becoming infected with ransomware is not enough to scare some companies into applying the Citrix patches for CVE-2019-19781, companies should also bear in mind that some criminals are currently hijacking Citrix servers and accessing them until their networks sell on hack forums, said an image researcher from Under the Breach last week shared with ZDNet.

Image: Under the Breach