Last week, we wrote that there were open access exploits for the critical vulnerability CVE-2019-19781, recently found in the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway).
Let me remind you that according to experts, this problem threatens 80,000 companies in 158 countries and allows hackers to seize devices, gaining access to the company's internal networks. The bug is so serious that it is considered one of the most dangerous errors discovered in recent years.
The main problem is that more than a month has passed since the vulnerability was discovered, but Citrix developers were in no hurry to release the patch. At first, the company was limited to safety recommendationsexplaining to customers how to reduce risks, and the actual fix appeared only yesterday, January 19, 2020.
After the publication of the exploits, attacks on vulnerable versions of Citrix intensified as expected, as numerous hackers hope to compromise some important goal – a corporate network, a state server, or a government agency.
FireEye Specialists warnedthat at least one of the many attackers acts from under Tor and exhibits strange behavior: it deploys NotRobin payload on hacked servers. According to FireEye analysts, NotRobin has two main goals. Firstly, it serves as a backdoor for a hacked Citrix device. Secondly, it is a kind of antivirus, removing another malware found in the system and thereby preventing other attackers from leaving their payload on this host. No additional malware, besides NotRobin, was installed on the infected servers.
FireEye researchers doubt that some good Samaritan is behind these attacks. In their report, they write that the hacker, most likely, is only collecting access to vulnerable devices, "cleans them", and is preparing for the next campaign.