Hackers patch Citrix servers to deploy their own backdoor

Attacks on Citrix servers are intensifying, one of the threat actors behind them is patching them and installing its own backdoor to lock out other attackers.

Security experts are monitoring a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

“One particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.” reads a report published by FireEye.

“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.”

The popular expert Kevin Beaumont first reported the scans for vulnerable systems earlier in January, but only last week the exploits were made public.

The issue affects all supported product versions and all supported platforms:

Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia.

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.

The NOTROBIN backdoor was designed to prevent subsequent exploitation of the flaw on Citrix servers and also to establish backdoor access, a circumstance that suggests that attackers are preparing future attacks.

Experts pointed out that the threat actor exploits CVE-2019-19781 to execute shell commands, attackers send the malicious payload to the vulnerable newbm.pl CGI script through an HTTP POST request from a Tor exit node.

Below a web server access log entry reporting the exploitation attemp:

127.0.0.2 – – [12/Jan/2020:21:55:19 -0500] “POST
/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1″ 304 – “-” “curl/7.67.0”

The experts have yet to recover the POST body contents and analyze them.

Then attackers execute one-line bash script to remove crypto-miners, create a hidden staging folder (/tmp/.init) and download NOTROBIN to it, and install /var/nstmp/.nscache/httpd for persistence via the cron daemon.

NOTROBIN is written in Go, it scans every second for specific files and delete them. If the filename or file content includes a hardcoded key, the files are not deleted.

“The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time,” continues the analysis.

The experts from FireEye noticed threat actors deploying NOTROBIN with unique keys, they observed nearly 100 keys from different binaries.

The keys look like MD5 hashes, the use of unique keys makes it difficult for third parties, including competing attackers, to scan for NetScaler devices already infected with NOTROBIN.

“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027.” concludes FireEye.”NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

Further technical details are reported in the analysis published by FireEye, including Indicators of Compromise (IoCs).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Citrix Servers, CVE-2019-19781)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.