On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.
Mass scanning activity detected from 126.96.36.199 (🇩🇪) checking for Citrix NetScaler Gateway endpoints vulnerable to CVE-2019-19781.
— Bad Packets Report (@bad_packets) January 10, 2020
The activity detected from 188.8.131.52 attempted to download the “smb.conf” file. This configuration file doesn’t appear to contain highly sensitive information by default, however a successful response to the scan will indicate the targeted server is vulnerable to further attacks.
On Sunday, January 12, 2020, our honeypots detected multiple CVE-2019-19781 exploit attempts from a host in Poland. This differed from the previous scanning activity as it conducted the actual remote code execution exploit and targeted ports 443, 2083, 2087, and 8443/tcp.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 184.108.40.206 (🇵🇱) checking for Citrix (NetScaler) Gateway servers vulnerable to CVE-2019-19781.
Ports targeted: 443, 2083, 2087, & 8443/tcp
— Bad Packets Report (@bad_packets) January 12, 2020
Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781.
How many hosts are vulnerable to CVE-2019-19781?
Using data provided by BinaryEdge, we scanned over 60,000 Citrix endpoints to determine which were vulnerable. On Saturday, January 11, 2020, our scans found a total of 25,121 unique IPv4 hosts worldwide vulnerable to CVE-2019-19781. Of these results, we cataloged 18,155 SSL certificates with unique domain names.
No sensitive information was disclosed or recorded during our scans as we only sent a HTTP HEAD request to confirm the vulnerability.
Where are the vulnerable servers located?
Vulnerable hosts were found in 122 countries around the world.
This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Citrix endpoints were located in the United States.
What type of organizations are affected by CVE-2019-19781?
4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:
- Military, federal, state, and city government agencies
- Public universities and schools
- Hospitals and healthcare providers
- Electric utilities and cooperatives
- Major financial and banking institutions
- Numerous Fortune 500 companies
How is CVE-2019-19781 exploited and what is the risk?
This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.
Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.
Citrix has provided a list of products impacted by CVE-2019-19781. Organizations using vulnerable Citrix ADC and Citrix (NetScaler) Gateway servers should immediately follow the recommended mitigations steps to prevent compromise. No patch is available yet for this vulnerability, however Citrix expects to release a firmware update by the end of January 2020. Given the criticality (CVSS score: 9.8) coupled with the risk of unauthorized access to private networks, there’s little time to take action before threat actors begin exploiting vulnerable servers.
How to obtain our CVE-2019-19781 report
Due to the sensitive nature of this vulnerability, the affected Citrix endpoints detected by our scans will not be shared publicly. However, the list is freely available for authorized government CERT, CSIRT, ISAC, and law enforcement teams to review. FIRST Team membership is preferred, but not required.
A feed of hosts conducting CVE-2019-19781 related scans and exploit activity is available for our Research and Enterprise CTI customers. Commercial licenses are also available for our vulnerability data, please contact us for more information.
We’ve shared our findings directly with US-CERT (CISA/DHS) and other U.S. federal law enforcement agencies for further investigation and remediation. Additionally, we notified these organizations: ACSC, aeCERT, Amazon SIRT, AusCERT, CareCERT, CCCS, CCN-CERT, CERT Nazionale Italia, CERT NZ, CERT Orange Cyberdefense, CERT POLSKA, CERT.at, CERT.be, CERT.br, CERT.hr, CERT.LV, CERT.PT, CERT/CC, CERT-Bund, CERT-FR (ANSSI), CERTGOVIL, CERT-In, CERT-MX, CERT-SE, CFCS-DK, CIRCL.LU, CNCERT/CC, colCERT, CSIRT BNP Paribas, CSIRT-DSP, Deutsche Telekom CERT, DKCERT, ECS-CSIRT, E-ISAC, FSA SOC (ed.gov), FS-ISAC, GovCERT.ch, GovCERT.CZ, GovCERT.HK, GOVCERT.LU, H-ISAC, HKCERT, ICIC-CERT, INCIBE-CERT, JPCERT/CC, KN-CERT, KPN-CERT, Legal-ISAC (NL), MSCERT (MSRC), MS-ISAC, MyCERT, NCIIPC, NCIS (DoD), NCSC, NCSC-FI, NCSC-IE, NCSC-NL, NCSC-NZ, NorCER, NTT-CERT, Q-CERT, REN-ISAC, RT CERT, RU-CERT, SANReN CSIRT, Saudi CERT, SingCERT, SUNet CERT, ThaiCERT, TWCERT/CC, TWNCERT, YOROI-CSDC, and Z-CERT.
This list will be updated frequently as notifications are still ongoing by Bad Packets.