Vulnerable Citrix Servers Targeted by Ransomware Gangs

Multiple threat actors are conducting attacks on Citrix servers that have not had the patch applied to correct the CVE-2019-19781 vulnerability. The flaw affects the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two old versions of Citrix SD-WAN WANOP appliances and was announced on December 17, 2019. Exploits for the vulnerability first started to be published on January 11, 2020.

A permanent fix was issued to correct the vulnerability was issued on Friday January 24, 2020 although mitigations had previously been published by Citrix which were effective on most Citrix products. Even though the flaws were critical, many enterprises were slow to implement mitigations and apply the patch.

Several threat actors are now exploiting the vulnerabilities, one of which has been exploiting the flaw to install a backdoor with a view to installing ransomware. Researchers at FireEye issued a warning after they detected the flaw being exploited to deliver a backdoor called NotRobin, which allowed access to be maintained after the flaw was patched.

FireEye says the threat actors were attempting to deploy a ransomware variant Ragnarok. There have also been reports of the flaw being exploited and cryptocurrency miners being deployed. The ransom demand issued by the threat actors behind Ragnarok is 1 BTC – around $8,600 – per infected device. FireEye reports that attempts have been made to exploit the vulnerability since January 10, 2020.  FireEye clients were protected from attacks, but other companies may not be so fortunate.

Another ransomware gang known to be exploiting the flaw is REvil (Sodinokibi). Several firms have been attacked including Gedia Automotive Group, a German car part manufacturer. The REvil gang steals data prior to deploying the ransomware and issues a threat to publish the stolen data if the ransom is not paid. The firm refused to pay the ransom and some data stolen in the Gedia attack has now been posted online.

Even if the patch has now been applied, or mitigations have been implemented, enterprises may not be out of the woods yet. it is possible that the vulnerability has already been exploited while devices were vulnerable and that hackers still have access to the network. Enterprises running Citrix products impacted by the vulnerability should perform scans to determine whether they have already been attacked.

FireEye has released a scanner in conjunction with Citrix that can be used to check whether the vulnerability has been exploited and the Citrix gateway is compromised. Even if the scanner does not uncover evidence of a compromised Citrix Gateway, it does not mean that an attack has not already occurred. The scanner will only identify attacks for which IOCs are known.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of