Just over a week ago, it was revealed that hackers were exploiting a vulnerability to compromise VPN gateways used by many businesses worldwide.
The vulnerability, officially known as CVE-2019-19781 but unofficially named “Shitrix”, was found on Citrix Application Delivery Controller and Citrix Gateway servers (formerly known as Netscaler ADC and Netscaler Gateway respectively), but at the time of writing Citrix still hasn’t released a patch.
Well, there’s good news and bad news.
First the good news:
Hackers are exploiting the Shitrix flaw to access the vulnerable servers, clean up known malware infections (such as cryptocurrency mining code) on your behalf, and apply Citrix’s recommended mitigation steps to block future attempts to exploit the vulnerability.
Well, that sounds kind of them, doesn’t it? Hmm.
So, here’s the bad news:
As researchers at FireEye describe, the mitigation code executed by the hacking group to protect the Citrix servers from further exploitation contains a secret backdoor.
In short, the hackers have locked other hackers out of the vulnerable servers – but not themselves.
FireEye’s team have dubbed the previously-unseen payload installed by the hackers, NOTROBIN.
“FireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-1978 ..
Support the originator by clicking the read the rest link below.
