Security experts are monitoring a spike in the number of attacks against Citrix servers after
Researchers from FireEye noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.
“One particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.” reads a report published by FireEye.
“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret
The popular expert Kevin Beaumont first reported the scans for vulnerable systems earlier in January, but only last week the exploits were made public.
The issue affects all supported product versions and all supported platforms:
It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia.
The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.
The NOTROBIN backdoor was designed to prevent subsequent exploitation of the flaw on Citrix servers and also to establish backdoor access, a circumstance that suggests that attackers are preparing future attacks.
Experts pointed out that the threat actor exploits CVE-2019-19781 to execute shell commands, attackers send the malicious payload to the vulnerable
Below a web server access log entry reporting the exploitation attemp:
|127.0.0.2 – – [12/Jan/2020:21:55:19 -0500] “POST|
/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1″ 304 – “-” “curl/7.67.0”
The experts have yet to recover the POST body contents and analyze them.
Then attackers execute
NOTROBIN is written in Go, it scans every second for specific files and delete them. If the filename or file content includes a
“The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the
The experts from FireEye noticed threat actors deploying NOTROBIN with unique keys, they observed nearly 100 keys from different binaries.
The keys look like MD5 hashes, the use of unique keys makes it difficult for third parties, including competing attackers, to scan for NetScaler devices already infected with NOTROBIN.
Further technical details are reported in the analysis published by FireEye, including Indicators of Compromise (IoCs).