Delaware, USA – January 27, 2020 – Last Friday, Citrix released the final updates to address the CVE-2019-19781 vulnerability, but in the world so far, about 10,000 servers can still be the target of the attack. Also, some servers infected with NotRobin malware will be accessible to adversaries even after installing all updates. “We deeply regret the impact this vulnerability has had on any affected customers, and would like to thank our customers and partners for their patience as our teams worked diligently to develop and test permanent fixes that fully address this vulnerability,” says Fermin J. Serna, Chief Information Security Officer at Citrix. Despite the excellent results of using mitigation measures (in less than a month, the number of vulnerable systems decreased by 92%), many organizations are in the view of attackers, and their files may be encrypted with one of the ransomware gangs.
The Sodinokibi ransomware gang exploited CVE-2019-19781 to get into the Gedia Automotive Group network, steal information and encrypt data. The company decided not to pay the attackers and recover the data themselves for “weeks or months before its systems were fully up and running.” Cybercriminals reacted immediately by publishing a part of the 50GB sensitive data stolen, including blueprints and employees’ and clients’ details.
Another group exploits this vulnerability to deploy Ragnarok ransomware. Researchers at FireEye published the report and indicators of compromise confirming that cybercriminal groups are in a hurry to make a profit before the updates are installed. You can use Web Application Security Framework rule pack to detect shady connections and data exfiltration attempts: https://my.socprime.com/en/integrations/web-application-security-framework
Also you can use community content available on Threat Detection Marketplace to detect exploitation of the vulnerability in logs: Citrix Netscaler Attack CVE-2019-19781 – https://tdm.socprime.com/tdm/info/H34f94kvk9Pg/