The severity of the encountered issues, which received CVE IDs CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs depending on the version of XenMobile used.

Thus, vulnerabilities will be critical for XenMobile versions from 10.12 to RP2, from 10.11 to RP4, from 10.10 to RP6 and all versions up to 10.9 RP5. In turn, for XenMobile versions 10.12 to RP3, 10.11 to RP6, 10.10 to RP6 and up to 10.9 RP5, the threat will be low to medium.

The company’s specialists write that all versions of 10.9.x should be immediately updated (preferably to the latest 10.12 RP3), since some problems can be used remotely and without authentication. Currently, more than 70% of potentially vulnerable customers who were previously notified of problems have already installed the available fixes.

“We recommend updating immediately. Although there are currently no known exploits [for these problems], we expect attackers to use them very soon”, — warns the company.

Let me remind you that Citrix users are quite inert, and after patches from a past dangerous bug, 20% of companies remained vulnerable. You should not expect that some noble hackers will patch your systems for you, although this has already happened.

Although Citrix experts do not disclose the details of the discovered problem, Positive Technologies specialist Andrey Medov discovered the CVE-2020-8209 vulnerability. He said that it belongs to the Path Traversal class and is related to insufficient validation of the input data.

“The exploitation of this vulnerability provides information that can be useful when crossing the perimeter, since the configuration file often stores a domain account for connecting to LDAP”, — says the expert.

A remote attacker can use the received data to authenticate to other external company resources: corporate mail, VPN, web applications. In addition, by reading the configuration file, an attacker can gain access to important data, for example, the password from the database (by default – from the local PostgreSQL, in some cases – from the remote SQL Server).

However, given that the database is located inside the corporate perimeter and cannot be connected to it from the outside, this vector can only be used in complex attacks, for example, with the help of an accomplice within the company.

The post Citrix expects attacks on fresh issues in XenMobile appeared first on Gridinsoft Blog.

At the beginning of this year was discovered CVE-2019-19781 vulnerability, which affects a number of versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two old versions of Citrix SD-WAN WANOP. As was reported at the beginning of the month, there were exploits for it in the public domain.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just as it was expected, as numerous hackers hope to compromise some important goal that did not have time to upgrade – a corporate network, a state server, or a government agency.

“The main problem was that though more than a month has passed since the vulnerability was discovered, Citrix developers were in no hurry to release the patch”, – IS experts condemn the company.

Firstly, company limited itself to only safety recommendations, explaining to customers how to reduce risks.

There was even an interesting precedent – an unknown hacker used vulnerable methods to patch vulnerable Citrix servers and, according to information security analysts, not because he was Robin Hood, his intentions were dubious.

Citrix developers presented an actual patch only last week, and did not release the final patches untill the last Friday.

Citrix and FireEye experts also provided free solutions to identify compromises and vulnerable systems.

Now FireEye and Under the Breach analysts are warning that cryptographic operators REvil (Sodinokibi) and Ragnarok are actively infecting vulnerable Citrix servers, which are still numerous.

“I examined the files REvil posted from Gedia.com after they refused to pay the ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit. My bet is that all recent targets were accessed via this exploit. It just goes to show how much impact a single exploit could have. Other files included invoices, data structures and a complete dump of the servers passwords. GDPR will go hard on these guys and this is exactly what REvil wants, the incentive to ransomware is truly alive!”, — writes Under the Breach company representative.

Additionally, according to unconfirmed reports, the creators of the Maze ransomware targeted vulnerable systems.

It is necessary to say that overall the process of installing patches is going well. If in December 2019 the number of vulnerable systems was estimated at 80,000 servers, then in mid-January their number dropped to about 25,000, and last week it fell below 11,000 systems altogether. Specialists from the GDI Foundation closely monitor these statistics.

The post Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines appeared first on Gridinsoft Blog.

Recall that according to experts, this problem threatens 80,000 companies in 158 countries and allows hackers to seize devices.

In almost all cases, Citrix applications are available on the perimeter of a company’s network, which means they are most prone to attacks. Thus, the vulnerability allows an external unauthorized attacker not only gaining access to published applications, but also carrying out attacks from the Citrix server on other resources of the victim company’s internal network”, – report experts of Positive Technologies.

The bug is so serious that it is considered one of the most dangerous errors discovered in the latest years.

The main problem is that more than a month has passed since the vulnerability was discovered, but Citrix developers were in no hurry to release the patch. At first, the company limited itself to only safety recommendations, explaining to customers how to reduce risks, and the actual correction appeared only on January 19, 2020.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just it was expected, as many hackers hope to compromise some important goal – a corporate network, a state server, or a government agency.

FireEye experts warned that at least one of the many attackers is working under Tor and exhibits strange behavior: it deployes NotRobin payload on hacked servers.

NotRobin has two main goals. Firstly, it serves as a backdoor for a hacked Citrix device. Secondly, it is a kind of antivirus, removing another malware found in the system and thereby preventing leaving payload on this host. No additional malware was installed on infected servers besides NotRobin”, – say FireEye analysts.

FireEye researchers doubt that some kind Samaritan is behind these attacks. In their report, they write that the hacker, most likely, only collects access to vulnerable devices, “cleans them” and prepares for the next campaign

As at the same time image of Greta Tunberg helps other hackers to penetrate the network, it is unclear what or who is more cynical and dangerous.

The post Unknown hacker patches vulnerable Citrix servers appeared first on Gridinsoft Blog.