The U.S. Government released a tool to check for it, and numerous experts have warned it needs fixing urgently. Now the critical Citrix vulnerability is being exploited by cyber-criminals using high-impact payloads.
Be warned, the same devastating ransomware that hit the Travelex global foreign currency exchange in December 2019 is now being used to exploit those who have not yet patched their systems against the widely discussed Citrix vulnerability.
What is the Citrix vulnerability?
The what now? Unless you have been living under a rock for the last month, you surely must have heard of CVE-2019-19781. You know, the critical Citrix vulnerability that the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) felt was severe enough to take the unusual step of releasing a free “are you vulnerable” tool for organizations to use. Citrix itself has also issued a vulnerability testing tool. Commonly known within the infosecurity community as shitrix, this is the critical CVE-2019-19781 vulnerability that impacts the Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliances. Despite patches being available regardless of whether customers have a maintenance contract, attacks are known to be underway and are finding victims.
NOTROBIN isn’t Batman either, just another criminal endeavor
One group of hackers has been deploying an exploit payload called NOTROBIN, which sounded too good to be true initially. They cleaned the attacked machines of malware before applying the mitigation steps recommended by Citrix. Unfortunately, they also installed a backdoor so that they could then attack the system for themselves. Things have now gone from bad to worse.
Threat actors are exploiting the Citrix vulnerability to install Sodinokibi ransomware
Cybersecurity experts are now warning that Sodinokibi is being used to attack vulnerable systems, thought to include a car parts manufacturer and even the German city of Potsdam. The criticality of these warnings cannot be stressed enough. Sodinokibi is beyond ‘high-impact’ and moves firmly into the highly-dangerous territory.
What is so dangerous about Sodinokibi ransomware?
Ransomware remains a serious ‘high-impact’ threat to business, as the Federal Bureau of Investigation (FBI) made clear in a warning just a few months ago. The attack against the City of New Orleans that led to Mayor LaToya Cantrell declaring a state of emergency in December 2019 was proof enough of that. Sodinokibi, also known as REvil, is a particularly worrying strain of ransomware. Not only because of that Travelex attack that the company is only just emerging from, and another against Albany International Airport, but because the operators behind it don’t only hold data to ransom. The Sodinokibi threat actors also exfiltrate files before the ransomware encryption is executed and use this stolen data as leverage to encourage victims to pay the ransom with a threat of public exposure if not. Depending upon the nature of the stolen data, it can also be monetized by being sold in dark markets online.
What should you do to mitigate the risk?
At the risk of sounding like a broken record, the headline answer to the mitigation question remains patch, patch, patch. There are official patches available for all supported versions of ADC, Gateway, and SD-WAN WANOP. You should also look to run the vulnerability testing tools mentioned earlier in this article to ensure your machines are properly patched. Needless to say, but I’m saying it anyway, you should also ensure that industry best practices to protect your organization against ransomware are followed, regardless of whether you are vulnerable to the Citrix exploits or not.