This can be concluded from the threat intelligence monitoring, conducted by Positive Technologies employees.

The critical vulnerability CVE-2019-19781 in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) in December was discovered by Positive Technologies experts.

“At the end of 2019, the United States leaded in the list of potentially vulnerable organizations (more than 38% of all vulnerable organizations), followed by Germany, the United Kingdom, the Netherlands and Australia”, – the experts say.

As was previously reported, there was even a mysterious hacker – some sort of a Robin Hood, which patched a server with this vulnerability. On January 8, 2020, was published an exploit that allows a hypothetical attacker to automate attacks on companies that have not fixed this vulnerability.

“Citrix developers planned to completely eliminate the problem between January 27 and January 31, but released a series of patches for different versions of the product a week earlier. It is important to install the necessary update as soon as possible, and until then, adhere to the Citrix security recommendations that have been available since the publication of the vulnerability information”, – warns PT Expert Security Center.

Overall, the dynamics of eliminating vulnerabilities is positive, but 20% of companies still remain in the risk zone. The top of countries in terms of the number of potentially vulnerable organizations today include Brazil (43% of the companies in which the vulnerability was initially identified), China (39%), Russia (35%), France (34%), Italy (33%) and Spain (25%). The best dynamics demonstrated the USA, Great Britain and Australia: in these countries locate only 21% of companies that continue to use vulnerable devices and do not take any protective measures.

Recall that in the case of exploiting a vulnerability, an attacker gains direct access to the company’s local network from the Internet. To carry out such an attack, access to any accounts is not required, which means that it can execute any external intruder.

Companies can use application-level firewalls to block a possible attack. Such screens detect an attack “out of the box”: the system should be switched to the blocking mode of dangerous requests for protection in real time.

Also, I will remind you about the importance of using reliable antivirus software.

Considering the total lifespan of the identified vulnerability (it has been relevant since the release of the first vulnerable version of the software in 2014), identification of possible facts of exploiting this vulnerability (and, accordingly, infrastructure compromise) is becoming relevant in retrospect.

The post Dangerous vulnerability in Citrix software is still not resolved in 20% of companies appeared first on Gridinsoft Blog.

At the beginning of this year was discovered CVE-2019-19781 vulnerability, which affects a number of versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two old versions of Citrix SD-WAN WANOP. As was reported at the beginning of the month, there were exploits for it in the public domain.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just as it was expected, as numerous hackers hope to compromise some important goal that did not have time to upgrade – a corporate network, a state server, or a government agency.

“The main problem was that though more than a month has passed since the vulnerability was discovered, Citrix developers were in no hurry to release the patch”, – IS experts condemn the company.

Firstly, company limited itself to only safety recommendations, explaining to customers how to reduce risks.

There was even an interesting precedent – an unknown hacker used vulnerable methods to patch vulnerable Citrix servers and, according to information security analysts, not because he was Robin Hood, his intentions were dubious.

Citrix developers presented an actual patch only last week, and did not release the final patches untill the last Friday.

Citrix and FireEye experts also provided free solutions to identify compromises and vulnerable systems.

Now FireEye and Under the Breach analysts are warning that cryptographic operators REvil (Sodinokibi) and Ragnarok are actively infecting vulnerable Citrix servers, which are still numerous.

“I examined the files REvil posted from Gedia.com after they refused to pay the ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit. My bet is that all recent targets were accessed via this exploit. It just goes to show how much impact a single exploit could have. Other files included invoices, data structures and a complete dump of the servers passwords. GDPR will go hard on these guys and this is exactly what REvil wants, the incentive to ransomware is truly alive!”, — writes Under the Breach company representative.

Additionally, according to unconfirmed reports, the creators of the Maze ransomware targeted vulnerable systems.

It is necessary to say that overall the process of installing patches is going well. If in December 2019 the number of vulnerable systems was estimated at 80,000 servers, then in mid-January their number dropped to about 25,000, and last week it fell below 11,000 systems altogether. Specialists from the GDI Foundation closely monitor these statistics.

The post Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines appeared first on Gridinsoft Blog.