Researchers observed new activities from the unknown hackers who are scanning the unpatched Citrix server that affected by the recently patched critical Remote Code Execution vulnerability and exploits to deploy the ransomware.
The active scans targeting Application Delivery Controller and Citrix Gateway to exploit Critical Vulnerability CVE-2019-19781.
GBHackers recently reported the critical vulnerability in Citrix Products that allow Hackers to access 80,000 companies Internal networks.
Soon after Citrix released a patch for the affected product for CVE-2019-19781 Flaw in ADC 11.1 and 12.0 and highly recommended to patch the vulnerable servers for their customers.
Currently, ongoing activities from the hackers mostly to exploit the vulnerable Citrix servers to led to the deployment of coin miners and ransomware.
Multiple sources from the online security community reporting that activities such as @underthebreach uncovered that the attackers deploy REvil ransomware via Citrix exploit.
” I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware.”
” the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit “
FireEye have detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of their clients and the attackers executing cURL command to download a shell script from hxxp://198.44.227[.]126:81/citrix/ld.sh.
Researchers also discovered a zip file that contains five different files in which, a Python script (scan.py) that would automate the exploitation of identified vulnerable system(s).
Hackers developed this script using multiple open source projects or scripts, and the FireEye researchers belives that “further analysis and sandboxing of this binary brought all the pieces together—this threat actor may have been attempting to deploy ransomware aptly named ‘Ragnarok’.”
A twitter feed from Karsten found an artifact of the Ragnarok ransomware which has used by the attackers to infect the systems by exploiting the Citrix server vulnerability.
Currently, the patching process is ongoing, in December there was nearly 80,000 were vulnerable. now it went down to 11,372.
Also, CISA released a test tool for administrators and users to check for Citrix Application Delivery Controller (ADC) and Citrix Gateway vulnerability. The tool can be downloaded from GitHub.
Indicator of Compromise
Table 3 provides the unique indicators discussed in this post.
Indicator Type | Indicator | Notes |
Network | 45[.]120[.]53[.]214 | |
Network | 198[.]44[.]227[.]126 | |
Host | 91dd06f49b09a2242d4085703599b7a7 | piz.Lan |
Host | 01af5ad23a282d0fd40597c1024307ca | de.py |
Host | bd977d9d2b68dd9b12a3878edd192319 | ld.sh |
Host | 0caf9be8fd7ba5b605b7a7b315ef17a0 | .new.zip |
Host | 9aa67d856e584b4eefc4791d2634476a | x86.dll |
Host | 55b40e0068429fbbb16f2113d6842ed2 | x64.dll |
Host | b0acb27273563a5a2a5f71165606808c | scan.py |
Host | 6cf1857e569432fcfc8e506c8b0db635 | xp_eternalblue.replay |
Host | 9e408d947ceba27259e2a9a5c71a75a8 | eternalblue.replay |
Host | e345c861058a18510e7c4bb616e3fd9f | avpass.exe |
Host | 48452dd2506831d0b340e45b08799623 | since1969.exe |
Email Address | asgardmaster5@protonmail[.]com | From ransom note |
Email Address | ragnar0k@ctemplar[.]com | From ransom note |
Email Address | j.jasonm@yandex[.]com | From ransom note |
Also Read: Muhstik Botnet Attack & Harvests Vulnerable Linux-based Tomato Routers To Perform DDOS Attacks