Hackers Scanning Unpatched Citrix Server to Exploit and Deploy Ransomware

Researchers observed new activities from the unknown hackers who are scanning the unpatched Citrix server that affected by the recently patched critical Remote Code Execution vulnerability and exploits to deploy the ransomware.

Currently, ongoing activities from the hackers mostly to exploit the vulnerable Citrix servers to led to the deployment of coin miners and ransomware.

” I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware.”

” the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit “

FireEye have detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of their clients and the attackers executing cURL command to download a shell script from hxxp://198.44.227[.]126:81/citrix/ld.sh.

Researchers also discovered a zip file that contains five different files in which, a Python script (scan.py) that would automate the exploitation of identified vulnerable system(s).

Hackers developed this script using multiple open source projects or scripts, and the FireEye researchers belives that “further analysis and sandboxing of this binary brought all the pieces together—this threat actor may have been attempting to deploy ransomware aptly named ‘Ragnarok’.”

A twitter feed from Karsten found an artifact of the Ragnarok ransomware which has used by the attackers to infect the systems by exploiting the Citrix server vulnerability.

Currently, the patching process is ongoing, in December there was nearly 80,000 were vulnerable. now it went down to 11,372.

Indicator of Compromise

Table 3 provides the unique indicators discussed in this post.

Also Read: Muhstik Botnet Attack & Harvests Vulnerable Linux-based Tomato Routers To Perform DDOS Attacks