The dust hasn’t quite settled on the Citrix ADC vulnerability technically known as CVE-2019-19781, and affectionately known as “Sh*&rix” in some circles (this is important when tracking Tweets!).

At the time of initially writing this blog (10th -14th Feb 2020, how is it even 2020 already?!), there were still around 1-in-5 companies who have not applied this patch and are affected.

The evolution of this vulnerability was very interesting to me and to our clients, and really highlights the need to track risks to 3rd party technologies that are in a company’s ever enlarging tech stack.

Below is a visualization taken from our ShadowSearch tool that shows the increase in discussions around the Citrix ADC vulnerability during the period just before Citrix went public on the vulnerability:

Citrix vulnerability

 

Citrix Vulnerability Key Events

There was a lot of activity going on, and still going on, in regards to this vulnerability. Let’s look at some of the key events and how they unfolded:

Date Key Event Detail
17th December 2019 Citrix releases statement on CVE-2019-19781 Raises awareness of CVE, the fact it is being exploited in the wild and mitigation steps
27th December 2019 CVE-2019-19781 published on NIST CVE released by Citrix receives a CVSS 3.0 score of 9.8
Late December 2019 – Early January 2020 3rd party tool releases Various different tools released to check if the if the mitigation recommended by Citrix works correctly for a specific deployment
Early Jan 2020 – Mid Feb 2020 Lists of exposed organizations released Various reconnaissance confirmed vulnerable lists of organizations are published to sources like Pastebin and GitHub
7th of January 2020 First discussions of exploits Things start to heat up as the security community discuss being able to exploit the vulnerability.

 

The number of affected devices where people are scanning for it is now discussed.
8th of January 2020 NIST update details of the CVE Additional context added
11th of January 2020 First exploit goes up on Exploit-DB Internet buzz around this vulnerability drastically starts to increase
13th of January 2020 Second exploit goes up on Exploit-DB Uses Metasploit Framework
16th of January 2020 Third exploit goes up on Exploit-DB Written by Dhiraj Mishra
17th-21st of Jan 2020 More exploits go up on GitHub ProjectZeroIndia and TrustedSec publish exploits on GitHub
19th January 2020 Citrix releases first wave of patches Patches covering various versions of Citrix products
20th of January 2020 Citrix releases second wave of patches Patches covering various versions of Citrix products
24th of January 2020 Fireye blogs about Ragnarok ransomware Analysis confirms Ragnarok trying to exploit Citrix vulnerability, and NOTROBIN backdoor to maintain access
24th of January – Now Continued reports of on-going attacks The story continues…..

 

From an Intel Perspective – Citrix Vulnerability Timeline

If we look at this timeline, we see a common theme that often occurs around these vulnerabilities, not necessarily always in this order:

  1. Vulnerability released by vendor/on NIST – First official postings
    Citrix vulnerability NIST 1
    Citrix vulnerability NIST 2
  2. Internet “Chatter” – Offers some great (and not so great!) from the security community
    Citrix vulnerability internet chatter
  3. Exploits released in public – GitHub, Exploit-DB etc…
    Citrix vulnerability exploits released
  4. More “Chatter”
  5. Attacks begin – Threat Actors take advantage deploying all sorts of malware etc…
    citrix vulnerability attacks begin
  6. More “Chatter”
  7. Patches and Mitigations Released
  8. Reports of specific organisations having been targeted

 

Operationalizing the data, the Digital Shadows (now ReliaQuest) way!

Digital Shadows (now ReliaQuest)’ ShadowSearch tool is available within the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service, and as a stand alone offering for organisations and MSSPs.

Our clients use this tool for many different reasons such as:

  • IOC investigation
  • Vulnerability Prioritization
  • Threat Actor and Security Researcher Tracking
  • Fraud Research
  • 3rd Party Risk

For 3rd party risk, our clients will create alerts for their key 3rd party suppliers, be they part of their technology stack or otherwise. The above research used “Citrix ADC” in ShadowSearch, but is turned in to actionable data by:

  1. Being alerted immediately to new CVEs released for Citrix ADC
  2. Immediately alerts to new exploits released
  3. Daily alerts summarising results from internet “Chatter”, which can often be the beginnings of a potential threat, ongoing threats etc… This gives the ShadowSearch user a wide perspective of the current situation, and is often great when the CEO has read something on the train in and wants you to tell them more about it!
  4. New attacks and malware. Pivot in to other data to give more information on the malware like Ragnarok and identify and download IOCs for additional protection
  5. Immediate alerts from the Digital Shadows (now ReliaQuest) Intelligence Team, providing trusted research and remediation advice

If you’d like to try the ShadowSearch part of our platform for yourself, you can try it now here.

Or, contact one of our team who would be happy to give you a demonstration and show this and the many other use cases on offer.