DHS CISA Warns Hackers Exploiting Unpatched Citrix Servers

February 03, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is warning organizations that hackers have successfully compromised numerous systems of those continuing to operate certain vulnerable, unpatched Citrix servers.

In mid-January, DHS urged all sectors to secure vulnerabilities in the Application Delivery Controller and Gateway of all supported Citrix product versions and platforms, including the NetScaler Gateway 12.1, 12.0, 11.1, and 10.5 versions.

The vulnerability could be used to launch malicious code on vulnerable systems or proliferate to other connected devices on victims’ networks. Earlier, researchers warned the flaw could give hackers access to the networks of more than 80,000 companies in over 156 countries, with US organizations facing the greatest risk.

There were no patches for the CVE-2019-19781 when it was first announced, but organizations were urged to apply configuration changes that focused on responder priorities applied in the command line and management interfaces by IT security leaders.

Citrix soon began rolling out firmware patches with the final fix released on January 31.

Researchers soon began warning organizations that hackers were scanning for the vulnerable ports. With the latest DHS alert, it’s confirmed that hackers have been able to successfully compromise multiple networks.

“Though mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later,” DHS officials wrote.

“Compromised systems cannot be remediated by applying software patches that were released to fix the vulnerability,” they continued. “Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.”

The alert contains details into the tools and technologies organizations can use to determine if they’ve been compromised through the Citrix flaw.

The methods center around HTTP Access and Error Log Review, where IT leaders can analyze Uniform Resource Identifiers from the released proof of concept exploit. The IT team can also analyze running processes and the additional /var/log review, while checking for the NOTROBIN BASH presence in the exploit code.

Evidence of compromise can also be found in the crontab and the existence of unusual files. The alert also recommends organizations review the Snort rules outlined by FireEye researchers, which should be “tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.”

“Open-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories,” DHS officials wrote. “Analysts should review file listings for these directories and determine if any suspicious files are present on the server.”

DHS also warned that from a network perspective evidence of compromise would not likely be detectable, as the traffic would likely be encrypted and typically these devices are not covered in traditional network monitoring and ingress traffic.

The alert also provides organizations with additional detection measures from several researchers and the National Security Agency.

“In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing /../ or /vpns/ to identify potentially malicious activity,” officials wrote. “It’s also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity.”

“Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation,” officials warned.