What We Do
How we do it
Resources
SECURITY ADVISORIES
Sep 23, 2021
SolarMarker Malware Activity
THE THREAT eSentire has observed a recent and significant increase in SolarMarker infections delivered through drive-by download attacks. These attacks rely on social engineering techniques to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malware; infections may result in the theft of sensitive data including user credentials.…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Aug 25, 2021
eSentire named a Leader in IDC MarketScape for U.S. Managed Detection and Response Services
August 26, 2021 – Waterloo, ON -  eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), announced today that it has been named a Leader in the IDC MarketScape: U.S. Managed Detection and Response Services 2021 Vendor Assessment (doc #US48129921, August 2021). IDC defines the core services an MDR must provide as follows: reduced time for onboarding, 24/7…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Search
Resources
Security advisories — Jan 16, 2020

Critical Update To Citrix Vulnerability Exploited

The Threat:

Citrix has updated their security bulletin with important new information. Please see the What You Should Do About It section below.

The eSentire Security Operations Center (SOC) has observed a behavior change in the active exploitation of Citrix’s vulnerability. This vulnerability is actively being used by threat groups to weaponize for other malicious purposes, in particular, targeting data to exfiltrate. This is in addition to the delivery of cryptocurrency mining malware, as we notified on January 13, 2020.

The SOC is actively responding to and effectively containing multiple incidents of vulnerable Citrix appliances. Given the expected two-week lag time between current events and formal patch releases from Citrix, and the lack of adoption of Citrix’s recommended mitigations, our cyber security experts are the most effective defense at this time.

What we’re doing about it:

What you should do about it:

Additional information:

CVE-2019-19781 allows simple directory traversal by a remote attacker in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. Additionally, the vulnerability affects the Citrix SD-WAN WANOP appliance, versions 10.2.6 and 11.0.3. No patches have been made available at this time.

From Citrix Advisory:

The vulnerability affects all supported product versions and all supported platforms:

Event Timeline

Jan 16 - Citrix discloses new impacted products, bugs in Citrix ADC build 12.1, and a CVE verification tool.

Jan 15 – Tactics switched to more sophisticated methods

Jan 12 - Exploitation to deliver cryptocurrency mining malware was identified by eSentire

Jan 8 - Initial Citrix advisory was released by eSentire [7]

Jan 8 - Active exploitation of honeypot environment observed by researcher Kevin Beaumont [6]

Dec 31 - SANS releases a speculative proof of concept [5]

Dec 23 - Positive Technologies comments on the potential impact of the vulnerability [4]

Dec 16 - Mitigation steps provided by Citrix [1]

Dec 16 - Vulnerability publicly disclosed by Citrix [3]

Expected Patch Release [8]

Citrix ADC Version

Expected Patch Release Date

13

Jan 27, 2020

12.1

Jan 27, 2020

12

Jan 20, 2020

11.1

Jan 20, 2020

10.5

Jan 31, 2020

Citrix SD-WAN WANOP

Expected Patch Release Date

10.2.6

Jan 27, 2020

11.0.3

Jan 27, 2020

References:

[1] https://support.citrix.com/article/CTX267679

[2] https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/

[3] https://support.citrix.com/article/CTX267027

[4] https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/

[5] https://isc.sans.edu/forums/diary/Some+Thoughts+About+the+Critical+Citrix+ADCGateway+Vulnerability+CVE201919781/25660/

[6] https://twitter.com/GossiTheDog/status/1214892555306971138

[7] https://www.esentire.com/security-advisories/critical-citrix-vulnerability-exploited/

[8] https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/