Citrix Flaw Opens Networks To Ransomware Risk

Attackers are attempting to use a recently patched critical Citrix bug to infect organisations with ransomware, researchers have found.

Computer security firm FireEye said the ransomware efforts are a new addition to hackers’ efforts to exploit the flaw.

Earlier attacks had attempted to place cryptocurency miners or a previously unknown malware variant called NOTROBIN.

Citrix released patches for the directory traversal flaw, CVE-2019-19781, which affects several versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway, last week.

Compromise scanner

The company also worked with FireEye to release an indicator of compromise (IoC) scanner to help customers determine whether their systems have been breached using the flaw.

The bug can be exploited to gain unauthorised remote access to a network and execute malicious code, researchers said, giving it a 9.8 out of 10 threat level.

FireEye said attackers had been “swift” to attempt to exploit the Citrix flaw and said “multiple actors” were carrying out attacks.

In a Friday update, the company said it had found one attacker attempting to install the Ragnarok ransomware via vulnerable Citrix Gateway deployments.

The attacker is “using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organisation”, FireEye said in an advisory.

“If suspect your Citrix appliances may have been compromised, we recommend utilising the tool FireEye released in partnership with Citrix.”

Traffic jam

In the Netherlands, the Citrix flaw has been held responsible for worse-than-usual road traffic in the country after the Dutch National Computer Security Centre (NCSC) recently recommended taking vulnerable systems offline.

As a result, most Dutch government ministries took remote-access servers offline, resulting in traffic jams last week as more government workers made their way into their offices.

The Citrix installations involved had been used by government employees to work remotely, according to local reports.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago