A Citrix vulnerability first discovered on December 17, 2019 is being continually exploited by ransomware attackers despite patching attempts by Citrix. The Citrix vulnerability allows unauthenticated attackers to access a company’s local network remotely and run code through the connection. Since the public disclosure of the vulnerability, it has been exploited numerous times. In total there have been over 550,000 attacks recorded from over 42 different countries. Over 82% of the attacks – 455,000 in total – originate from Russia. If a system is successfully compromised, it allows for an unsolicited actor to perform arbitrary code execution. There has been a running trend for December and January of remote actors being able to execute arbitrary code.
Source: Citrix.com, Accessed January 2, 2020
The goal of attackers using the Citrix vulnerability is to implant coin miners, malware, or ransomware onto systems. Even more concerning is the malware – NotRobin – maintains backdoors to allow unfettered access to the compromised devices. In combination with a ransomware called Ragnarök, which demands 1 bitcoin (the equivalent to $8,600), the results can be devastating. Failure to comply could result in the deletion of held data or its public distribution. Ragnarök also can be manipulated to move laterally along the network to other connected machines, increasing the harm of the vulnerability exponentially for each device connected to the network.
Citrix has released what it’s calling a permanent fix for the vulnerability and is encouraging all Citrix users to download the patch. However, just because the device is no longer vulnerable, it does not mean that you have not been compromised already. Because of the backdoor, even with the Citrix patch installed attackers can still access your systems. As Craig Young, a computer security researcher for Tripwire Inc. said, “I fully expect that in the coming months we will learn about several organizations who were hacked last week but currently do not realize this.” The full extent of this vulnerability remains to be seen. Attackers will typically use this vulnerability to spread as far onto the network as they can before grifting data or implementing a ransomware attack.
Any businesses currently using Citrix should immediately seek to update their systems to the latest patch. Even if you are sure that your business has yet to be infiltrated by Ragnarök or any other malicious software it is always better to remediate your vulnerabilities. If the backdoor has already been installed, you will prevent any new incursions from taking place. This is pertinent because attackers are actively looking for Citrix systems to exploit. So even if you have yet to come under attack, it is highly likely that you will be attacked in the future.
Companies will need to be vigilant for any suspicious activity over the next couple of months. Anything that seems suspicious should be examined. The Dutch National Cybersecurity Centre even recommends that companies should turn off Citrix until the problem is resolved. If you are unable to turn of Citrix for functional reasons, there are some other mitigation options. Because there is no perfect solution for the vulnerabilities within Citrix, it may be better to simply whitelist known IP addresses, limiting the potential to exposure. Additionally, blocking Citrix behind a firewall will allow you to filter access of the program. Thus, it will make it difficult for any attacker to navigate through your local network.
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.
COVID-19 has changed a great deal about how businesses operate. From a security perspective, however, COVID-19 caught many businesses off guard. The shift from working in the office to working from home has made it difficult for security measures to keep pace. Specifically, how are businesses meant to maintain the same secure networks when their employees are no longer working in the office? Outside of the security of the IT departments, IT and security have a tough time ensuring that patching and vulnerability management remain at the forefront of a business’s priorities.
Google has identified “unsafe” code in the Chromium web browser engine. This flaw introduces a potential vulnerability that effects Google Chrome, as well as all Chromium-based web browsers.
More than ever, cybersecurity solutions are core to any MSPs offering. No longer should technology service providers be farming this out to dedicated security providers. Trust and peace of mind are the core tenets of what they are selling and solutions like Acronis Cyber Protect Cloud can provide the platform upon which to deliver on those promises.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.