Hackers Scanning Unpatched Citrix Server to Exploit and Deploy Ransomware

Researchers observed new activities from the unknown hackers who are scanning the unpatched Citrix server that affected by the recently patched critical Remote Code Execution vulnerability and exploits to deploy the ransomware.

The active scans targeting Application Delivery Controller and Citrix Gateway to exploit Critical Vulnerability CVE-2019-19781.

GBHackers recently reported the critical vulnerability in Citrix Products that allow Hackers to access 80,000 companies Internal networks.

Soon after Citrix released a patch for the affected product for CVE-2019-19781 Flaw in ADC 11.1 and 12.0 and highly recommended to patch the vulnerable servers for their customers.

Currently, ongoing activities from the hackers mostly to exploit the vulnerable Citrix servers to led to the deployment of coin miners and ransomware.

Multiple sources from the online security community reporting that activities such as @underthebreach uncovered that the attackers deploy REvil ransomware via Citrix exploit.

” I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware.”

” the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit “

FireEye have detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of their clients and the attackers executing cURL command to download a shell script from hxxp://198.44.227[.]126:81/citrix/ld.sh.

Researchers also discovered a zip file that contains five different files in which, a Python script (scan.py) that would automate the exploitation of identified vulnerable system(s).

Hackers developed this script using multiple open source projects or scripts, and the FireEye researchers belives that “further analysis and sandboxing of this binary brought all the pieces together—this threat actor may have been attempting to deploy ransomware aptly named ‘Ragnarok’.”

A twitter feed from Karsten found an artifact of the Ragnarok ransomware which has used by the attackers to infect the systems by exploiting the Citrix server vulnerability.

Currently, the patching process is ongoing, in December there was nearly 80,000 were vulnerable. now it went down to 11,372.

Also, CISA released a test tool for administrators and users to check for Citrix Application Delivery Controller (ADC) and Citrix Gateway vulnerability. The tool can be downloaded from GitHub.

Indicator of Compromise

Table 3 provides the unique indicators discussed in this post.

Indicator TypeIndicatorNotes
Network45[.]120[.]53[.]214 
Network198[.]44[.]227[.]126 
Host91dd06f49b09a2242d4085703599b7a7piz.Lan
Host01af5ad23a282d0fd40597c1024307cade.py
Hostbd977d9d2b68dd9b12a3878edd192319ld.sh
Host0caf9be8fd7ba5b605b7a7b315ef17a0.new.zip
Host9aa67d856e584b4eefc4791d2634476ax86.dll
Host55b40e0068429fbbb16f2113d6842ed2x64.dll
Hostb0acb27273563a5a2a5f71165606808cscan.py
Host6cf1857e569432fcfc8e506c8b0db635xp_eternalblue.replay
Host9e408d947ceba27259e2a9a5c71a75a8eternalblue.replay
Hoste345c861058a18510e7c4bb616e3fd9favpass.exe
Host48452dd2506831d0b340e45b08799623since1969.exe
Email Addressasgardmaster5@protonmail[.]comFrom ransom note
Email Addressragnar0k@ctemplar[.]comFrom ransom note
Email Addressj.jasonm@yandex[.]comFrom ransom note

Also Read: Muhstik Botnet Attack & Harvests Vulnerable Linux-based Tomato Routers To Perform DDOS Attacks

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.