Security News > 2020 > January > 'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group that has been bundling mitigation code for NetScaler servers with its exploits.
In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.
It would make sense to take a compromised server off the map, so to speak, for other groups trying to exploit the so-called 'Shitrix' flaw.
Once the secondary payload has been downloaded and launched, it installs the backdoor for later access by the attackers, then proceeds to launch a pair of scripts that both search out and delete known malware on the machine and monitor and block any incoming attempts to exploit the vulnerability.
News URL
Related news
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-12-27 | CVE-2019-19781 | Path Traversal vulnerability in Citrix products An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. | 9.8 |