Hackers are closing the Shitrix security hole to keep everyone out of Citrix servers apart from themselves

Graham Cluley

Hackers are closing the Shitrix security hole to keep everyone out apart from themselves

Hackers are closing the Shitrix security hole to keep everyone out apart from themselves

Just over a week ago, it was revealed that hackers were exploiting a vulnerability to compromise VPN gateways used by many businesses worldwide.

The vulnerability, officially known as CVE-2019-19781 but unofficially named “Shitrix”, was found on Citrix Application Delivery Controller and Citrix Gateway servers (formerly known as Netscaler ADC and Netscaler Gateway respectively), but at the time of writing Citrix still hasn’t released a patch.

Well, there’s good news and bad news.

First the good news:

Hackers are exploiting the Shitrix flaw to access the vulnerable servers, clean up known malware infections (such as cryptocurrency mining code) on your behalf, and apply Citrix’s recommended mitigation steps to block future attempts to exploit the vulnerability.

Well, that sounds kind of them, doesn’t it? Hmm.

So, here’s the bad news:

As researchers at FireEye describe, the mitigation code executed by the hacking group to protect the Citrix servers from further exploitation contains a secret backdoor.

In short, the hackers have locked other hackers out of the vulnerable servers – but not themselves.

FireEye’s team have dubbed the previously-unseen payload installed by the hackers, NOTROBIN.

“FireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-19781 vulnerability while maintaining backdoor access to compromised NetScaler devices. The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.”

“Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries. These look like MD5 hashes, though FireEye has been unsuccessful in recovering any plaintext. Using complex, unique keys makes it difficult for third parties, such as competing attackers or FireEye, to easily scan for NetScaler devices “protected” by NOTROBIN. This actor follows a strong password policy!”

NOTROBIN may be successfully inoculating vulnerable devices from further Shitrix attacks, but it’s also opening up those devices to future cybercriminal campaigns. That doesn’t sound much like the behaviour of “Robin Hood” to me.

It’s always better to defend your systems yourself or have someone you trust do it for you, rather than have an unknown hacking gang take it upon themselves to clean up the mess. After all, you can’t be sure they won’t have ulterior motives…

Citrix has promised firmware updates for its vulnerable systems by the end of the month.

Further reading: Good news. Citrix delivers first patches to mop up Shitrix flaw that is being actively exploited

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.