Citrix has finally begun coming up with security fixes for a serious susceptibility in ADC and Gateway software that cyberthieves began taking advantage of in the wild earlier this month following the company’s announcement of the presence of the problem without discharging any perpetual fix.
Since attackers don’t squander time or miss any chance to abuse susceptible systems, even a short window of time led to the compromise of scores of Internet exposed Citrix ADC and Gateway systems.
The flaw, tracked as CVE-2019-19781, is a path traversal issue that could let unverified remote attackers to perform random code on numerous versions of Citrix ADC and Gateway products.
Regarded critical with CVSS v3.1 base score 9.8, the issue was exposed by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who correctly reported it to Citrix in early December.
The susceptibility is vigorously being abused in the wild since last week by lots of hacking groups and individual hackers—due to the public issue of manifold proofs-of-concept exploit code.
Cyber security experts said that, as of today, there are over 15,000 openly accessible flawed Citrix ADC and Gateway servers that hackers can exploit immediately to target possible enterprise networks.
Experts at FireEye discovered an attack drive where someone was compromising susceptible Citrix ADCs to install a previously-unseen payload, dubbed “NotRobin,” that examines systems for cryptominers and malware positioned by other possible attackers and eliminates them to uphold exclusive backdoor access.
“This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,” FireEye said.
“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.”