The dust hasn’t quite settled on the Citrix ADC vulnerability technically known as CVE-2019-19781, and affectionately known as “Sh*&rix” in some circles (this is important when tracking Tweets!).
At the time of initially writing this blog (10th -14th Feb 2020, how is it even 2020 already?!), there were still around 1-in-5 companies who have not applied this patch and are affected.
The evolution of this vulnerability was very interesting to me and to our clients, and really highlights the need to track risks to 3rd party technologies that are in a company’s ever enlarging tech stack.
Below is a visualization taken from our ShadowSearch tool that shows the increase in discussions around the Citrix ADC vulnerability during the period just before Citrix went public on the vulnerability:
Citrix Vulnerability Key Events
There was a lot of activity going on, and still going on, in regards to this vulnerability. Let’s look at some of the key events and how they unfolded:
| Date | Key Event | Detail |
| 17th December 2019 | Citrix releases statement on CVE-2019-19781 | Raises awareness of CVE, the fact it is being exploited in the wild and mitigation steps |
| 27th December 2019 | CVE-2019-19781 published on NIST | CVE released by Citrix receives a CVSS 3.0 score of 9.8 |
| Late December 2019 – Early January 2020 | 3rd party tool releases | Various different tools released to check if the if the mitigation recommended by Citrix works correctly for a specific deployment |
| Early Jan 2020 – Mid Feb 2020 | Lists of exposed organizations released | Various reconnaissance confirmed vulnerable lists of organizations are published to sources like Pastebin and GitHub |
| 7th of January 2020 | First discussions of exploits | Things start to heat up as the security community discuss being able to exploit the vulnerability.
The number of affected devices where people are scanning for it is now discussed. |
| 8th of January 2020 | NIST update details of the CVE | Additional context added |
| 11th of January 2020 | First exploit goes up on Exploit-DB | Internet buzz around this vulnerability drastically starts to increase |
| 13th of January 2020 | Second exploit goes up on Exploit-DB | Uses Metasploit Framework |
| 16th of January 2020 | Third exploit goes up on Exploit-DB | Written by Dhiraj Mishra |
| 17th-21st of Jan 2020 | More exploits go up on GitHub | ProjectZeroIndia and TrustedSec publish exploits on GitHub |
| 19th January 2020 | Citrix releases first wave of patches | Patches covering various versions of Citrix products |
| 20th of January 2020 | Citrix releases second wave of patches | Patches covering various versions of Citrix products |
| 24th of January 2020 | Fireye blogs about Ragnarok ransomware | Analysis confirms Ragnarok trying to exploit Citrix vulnerability, and NOTROBIN backdoor to maintain access |
| 24th of January – Now | Continued reports of on-going attacks | The story continues….. |
From an Intel Perspective – Citrix Vulnerability Timeline
If we look at this timeline, we see a common theme that often occurs around these vulnerabilities, not necessarily always in this order:
- Vulnerability released by vendor/on NIST – First official postings
- Internet “Chatter” – Offers some great (and not so great!) from the security community
- Exploits released in public – GitHub, Exploit-DB etc…
- More “Chatter”
- Attacks begin – Threat Actors take advantage deploying all sorts of malware etc…
- More “Chatter”
- Patches and Mitigations Released
- Reports of specific organisations having been targeted
Operationalizing the data, the Digital Shadows (now ReliaQuest) way!
Digital Shadows (now ReliaQuest)’ ShadowSearch tool is available within the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service, and as a stand alone offering for organisations and MSSPs.
Our clients use this tool for many different reasons such as:
- IOC investigation
- Vulnerability Prioritization
- Threat Actor and Security Researcher Tracking
- Fraud Research
- 3rd Party Risk
For 3rd party risk, our clients will create alerts for their key 3rd party suppliers, be they part of their technology stack or otherwise. The above research used “Citrix ADC” in ShadowSearch, but is turned in to actionable data by:
- Being alerted immediately to new CVEs released for Citrix ADC
- Immediately alerts to new exploits released
- Daily alerts summarising results from internet “Chatter”, which can often be the beginnings of a potential threat, ongoing threats etc… This gives the ShadowSearch user a wide perspective of the current situation, and is often great when the CEO has read something on the train in and wants you to tell them more about it!
- New attacks and malware. Pivot in to other data to give more information on the malware like Ragnarok and identify and download IOCs for additional protection
- Immediate alerts from the Digital Shadows (now ReliaQuest) Intelligence Team, providing trusted research and remediation advice
If you’d like to try the ShadowSearch part of our platform for yourself, you can try it now here.
Or, contact one of our team who would be happy to give you a demonstration and show this and the many other use cases on offer.