Security News > 2020 > January > 'Nice guy' hackers are seemingly fixing the Citrix server hole, but leaving a nasty present behind

'Nice guy' hackers are seemingly fixing the Citrix server hole, but leaving a nasty present behind
2020-01-17 19:49

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.

Researchers at FireEye report finding a hacking group that has been bundling mitigation code for NetScaler servers with its exploits.

In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

It would make sense to take a compromised server off the map, so to speak, for other groups trying to exploit the so-called 'Shitrix' flaw.

Once the secondary payload has been downloaded and launched, it installs the backdoor for later access by the attackers, then proceeds to launch a pair of scripts that both search out and delete known malware on the machine and monitor and block any incoming attempts to exploit the vulnerability.


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/17/hackers_patching_citrix_hole/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-12-27 CVE-2019-19781 Path Traversal vulnerability in Citrix products
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
network
low complexity
citrix CWE-22
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Citrix 66 2 64 101 46 213