Citrix fixes bug used in ransomware attacks; GEDIA falls victim to exploit

Citrix fixes bug used in ransomware attacks; GEDIA falls victim to exploit

Citrix over the last six days has been releasing firmware updates to fix CVE-2019-19781, a critical remote code execution vulnerability in its Citrix Application Delivery Controller, Citrix Gateway and SD-WAN WANOP products, which cybercriminals have actively exploited in an attempt to deliver ransomware, backdoors and coin miners.

The Fort Lauderdale, Fla.-based software company has now patched versions 11.1, 12.0, 12.1 and 13.0 of Citrix ADC and Citrix Gateway (formerly branded as NetScaler ADC and NetScaler Gateway), and expects to issue a fix for version 10.5 today.

Citrix also has issued releases 10.2.6 and 11.0.3 to repair the SD-WAN WANOP WAN Optimization solution, which comes with Citrix ADC packaged and was therefore also affected by the bug. These fixes apply to the SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms. (All other SD-WAN PE and SD-WAN SE platforms are not impacted by the vulnerability.)

Citrix has also issued a pair of helpful tools for its users, one that ensures the patch has been successfully applied and another that organizations can run on their Citrix instances to detect any indicators of compromise.

Citrix first publicly disclosed CVE-2019-17981 last Dec. 17 and recommended a series of temporary mitigations. But with fixes currently available, applying the patches is essential, considering that attackers are exploiting vulnerable Citrix servers.

Case in point: a cybercriminal gang responsible for infecting organizations with Sodinokibi (aka REvil) ransomware-as-a-service is claiming it has perpetrated an attack against German automobile manufacturer GEDIA Automotive Group. ..