Hackers Target Unpatched Citrix Servers to Deploy Ransomware (Jan 24, 2020)
Threat actors behind the ransomware REvil (Sodinokibi) are using the vulnerability “CVE-2019-19781” to exploit unpatched Citrix servers and deploy ransomware on their servers. The vulnerability, “CVE-2019-19781”, if exploited, enables threat actors to perform arbitrary code execution with affected systems including the Citrix Application Delivery Controller (ADC), Citrix Gateway and two older versions of the Citrix SD-WAN WANOP. The exploit was first announced December 17th, 2019, and at the time of writing, there are currently 11,732 vulnerable Citrix servers left unpatched.
Recommendation: Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors. Since in the case of this compromise ransomware will be deployed, precautions must be made to mitigate the situation. Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.