Comprehensive Software Reviews to make better IT decisions
Citrix Systems Remain Vulnerable Despite Patching Attempts
A Citrix vulnerability first discovered on December 17, 2019 is being continually exploited by ransomware attackers despite patching attempts by Citrix. The Citrix vulnerability allows unauthenticated attackers to access a company’s local network remotely and run code through the connection. Since the public disclosure of the vulnerability, it has been exploited numerous times. In total there have been over 550,000 attacks recorded from over 42 different countries. Over 82% of the attacks – 455,000 in total – originate from Russia. If a system is successfully compromised, it allows for an unsolicited actor to perform arbitrary code execution. There has been a running trend for December and January of remote actors being able to execute arbitrary code.
Source: Citrix.com, Accessed January 2, 2020
The goal of attackers using the Citrix vulnerability is to implant coin miners, malware, or ransomware onto systems. Even more concerning is the malware – NotRobin – maintains backdoors to allow unfettered access to the compromised devices. In combination with a ransomware called Ragnarök, which demands 1 bitcoin (the equivalent to $8,600), the results can be devastating. Failure to comply could result in the deletion of held data or its public distribution. Ragnarök also can be manipulated to move laterally along the network to other connected machines, increasing the harm of the vulnerability exponentially for each device connected to the network.
Citrix has released what it’s calling a permanent fix for the vulnerability and is encouraging all Citrix users to download the patch. However, just because the device is no longer vulnerable, it does not mean that you have not been compromised already. Because of the backdoor, even with the Citrix patch installed attackers can still access your systems. As Craig Young, a computer security researcher for Tripwire Inc. said, “I fully expect that in the coming months we will learn about several organizations who were hacked last week but currently do not realize this.” The full extent of this vulnerability remains to be seen. Attackers will typically use this vulnerability to spread as far onto the network as they can before grifting data or implementing a ransomware attack.
Any businesses currently using Citrix should immediately seek to update their systems to the latest patch. Even if you are sure that your business has yet to be infiltrated by Ragnarök or any other malicious software it is always better to remediate your vulnerabilities. If the backdoor has already been installed, you will prevent any new incursions from taking place. This is pertinent because attackers are actively looking for Citrix systems to exploit. So even if you have yet to come under attack, it is highly likely that you will be attacked in the future.
Companies will need to be vigilant for any suspicious activity over the next couple of months. Anything that seems suspicious should be examined. The Dutch National Cybersecurity Centre even recommends that companies should turn off Citrix until the problem is resolved. If you are unable to turn of Citrix for functional reasons, there are some other mitigation options. Because there is no perfect solution for the vulnerabilities within Citrix, it may be better to simply whitelist known IP addresses, limiting the potential to exposure. Additionally, blocking Citrix behind a firewall will allow you to filter access of the program. Thus, it will make it difficult for any attacker to navigate through your local network.
Want to Know More?
Evaluating vendor proposals is one of the most critical aspects of the RFP process, secondary only to negotiations. The ironic thing is that we've seen too many clients try to abbreviate this activity, take short cuts, or even avoid it altogether. Providing ample time for your team to review the vendor RFP responses is critical to a quality review process, while not rushing the evaluation process ensures that you understand their complete offer and proposal.
SC Media had its recent 2020 SC Awards Honored in the U.S. event and has awarded Qualys recognition for Best Vulnerability Management Solution in the “Trust Awards” category.
Qualys announced its new flagship product, Qualys VMDR, at RSA Conference 2020. According to the Qualys website, VMDR will be available after March 30, 2020.
There is a vulnerability at the layer 2 Wi-Fi encryption level called Kr00k (formally CVE-2019-15126 in the NIST National Vulnerability Database) affecting Broadcom and Cypress Semiconductor Wi-Fi devices.
Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). Administrators who paid for the ESU found out their downloads are not applying.
Qualys’ newest product, VMDR (Vulnerability Management, Detection, and Response), will be available in March and will provide an all-in-one cloud-based solution for vulnerability management. VMDR will automate the entire management cycle on all endpoints.
Microsoft has added its Windows 10 Tamper Protection controls to the public version of Microsoft Defender. Previously available only to enterprise users, Tamper Protection is intended to better detect threats that make it past other defences and to provide remediation suggestions.
Qualys Research Labs, a vulnerability management provider, discovered a vulnerability in the OpenSMTPD Mail server used in conjunction with the OpenBSD operating system. This flaw allows for an attacker to execute arbitrary code with command privileges.
If you are experiencing pressure to lower your IT expense, a reverse auction might be a quick, efficient answer to ensure you are getting a competitive price.