Over the course of a week, the security implications have grown more dire for a critical vulnerability in two popular products made by Citrix, a corporate virtual private network service provider used at many Fortune 500 companies.
The flaw exists in a Citrix cloud-based application delivery tool, as well as in a product that allows remote access to the company’s applications. Experts say that successful exploitation of the bug could allow a hacker to burrow into the many enterprise networks that use the software. The result could be the exposure or theft of corporate information from Citrix clients who otherwise trust technology provided by the $2.5 billion company.
First, experts said that attackers would soon begin exploiting the flaw. Citrix then issued an advisory assuring that its recommended stop-gap security measures would help address the issue. But as researchers warned that hackers had begun exploiting the vulnerability, Citrix updated its advisory to say that, in certain scenarios, the company’s mitigation techniques would not work. The company then told customers to switch to a different software compilation to avoid the issue.
Late on Thursday night, cybersecurity company FireEye revealed another plot twist: an unknown hacker, or set of hackers, was exploiting the vulnerability in a Citrix product, cleaning up other malware on that network, and planting their own code, likely as a backdoor for future access.
Eight times per second, the attacker’s code scans for files that match other attempts to exploit the Citrix vulnerability, and then blocks them, according to FireEye.
“FireEye believes that this actor may be quietly collecting access to [these Citrix] devices for a subsequent campaign,” the company said in a blog post.
Citrix meanwhile is preparing full security fixes for the bug to be released later this month, the company said.
It’s the kind of attacker-on-attacker slugfest that fascinates security analysts.
Can you imagine the Citrix server battle grounds as hacker gangs square off to see who can secure the box against fresh attacks, boot off their rivals, and exploit their access for *something* before the whole house of cards comes crashing down?#thebattleof0daysand0nights
— thaddeus e. grugq (@thegrugq) January 16, 2020
In one case, FireEye analysts said they saw a single device with the vulnerability being hacked by multiple actors. But after the backdoor-planting attacker entered the fray on Jan. 12, that entity blocked over a dozen other exploitation attempts of the vulnerability.
It’s unclear what the vigilante attacker’s end game is, but FireEye analysts don’t believe it’s benevolent.
“While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows,” said FireEye’s William Ballenthin and Josh Madeley.
In an emailed statement, Citrix CISO Fermin J. Serna said that “despite a few reports to the contrary, these mitigations do work and are effective in thwarting attacks if all steps are followed.”
“We are encouraging our customers to immediately apply the mitigations and patches as soon as they become available and appreciate FireEye’s support in underscoring the importance of doing so,” Serna said, adding that the company has coordinated closely with its customers on the issue.
As Citrix was updating its security advisory, the Netherlands’ National Cybersecurity Centre was being explicit about what it said were the shortcomings of the security mitigations.
“The NCSC emphasizes that there is currently no good, guaranteed reliable solution for all versions of Citrix ADC and Citrix Gateway servers,” the Dutch agency said Thursday.
“Depending on the impact, the NCSC recommends considering switching off the Citrix ADC and Gateway servers,” the agency said.
Dave Kennedy, founder of cybersecurity company TrustedSec, said he knows Citrix clients who are doing just that.
“I’m in contact with a lot of Citrix customers and many have completely shut them down because they lack confidence in the mitigating controls,” Kennedy told CyberScoop.