Security News > 2020 > January > Attacker Installs Backdoor, Blocks Others From Exploiting Citrix ADC Vulnerability
A threat group targeting the recently disclosed critical vulnerability in Citrix Application Delivery Controller is installing their own backdoor while cleaning up other malware infections and blocking others from exploiting the vulnerability, FireEye has discovered.
Tracked as CVE-2019-19781, the vulnerability impacts Citrix ADC and Gateway products.
With tens of thousands of vulnerable systems connected to the Internet, it's no surprise that multiple threat actors are already attempting to exploit the security flaw, especially since Citrix only published mitigation details, but has yet to release patches.
One of the attacks that stands out from the crowd, FireEye says, is cleaning up known malware from the vulnerable deployments and deploys a previously-unseen payload known as NOTROBIN. The malware blocks subsequent exploitation attempts, but also maintains backdoor access, likely in preparation for a future campaign.
Written in Go, NOTROBIN periodically scans for and deletes specific files, in an attempt to block exploitation attempts targeting the CVE-2019-19781 vulnerability.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-27 | CVE-2019-19781 | Path Traversal vulnerability in Citrix products An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. | 9.8 |