Translated Article: Urgent Warning of Back Doors in Citrix Systems

Sanna/ October 6, 2020/ Stories

Dringende Warnung vor Hintertüren in Citrix-Systemen by Erich Moechel for

An unknown number of these VPN gateways, which protect important networks in Austria such as electronic official traffic, ministries, supermarket chains, etc., are infected with malware. Ransomware blackmailers are now attacking one network after another.

After the huge security gap in Citrix dial-up systems (“Shitrix”) at the beginning of the year, the consequences are now coming to light. The German security consultants HiSolutions have recently discovered a number of encryption attacks that were carried out through back doors installed at the time. Large company and authority networks are affected, which, like the electronic file traffic of the Republic (ELAK), were open for weeks over the turn of the year.

Almost all of these “VPN gateways” were backed up by software updates much too late, but that does not help against previously installed back doors. Only completely new systems are considered to be secure. In the current blackmail attack on the Düsseldorf Clinic, which resulted in a fatality, the attackers penetrated via the Citrix gateway. (More on this below). It can be assumed that there are an unknown number of back doors in the hundreds of Citrix gateways of large networks in this country too.

Urgent recommendations to Citrix administrators

According to HiSolutions, the traces point to ordinary encryption blackmailers who use standard malware as soon as they have access. Their approach is anything but ingenious, rather known routines are processed and standard malware used, from network exploration to exfiltration and subsequent encryption of the data. In the cases that became known, the attackers did not even bother to rewrite a “proof of concept” software from spring.

“Proof of Concept” is experimental software that demonstrates how a newly discovered security gap can be attacked. From this, concepts for defense are developed and published. That is one side. If such defense concepts are not published, but a product is developed from them for an attack, this is called an “exploit”. “Due to the current wave of attacks it is strongly recommended to check Citrix NetScaler systems, especially for possible new users or suspicious network activities”, says HiSolutions, and “a look into the folder / var / vpn / bookmark is recommended in any case, because this is were XML files smuggled in by the attacker can be found.”

“Malware as a service”

“it is very certain that these attackers are not identical to those who installed these back doors in winter” said Joe Pichlmayr from the Viennese security company Ikarus to “Because fully installed back doors, as well as matching malware including attack instructions, are typical services that are traded en masse on the black market. The internet economy has arrived there even more radically than on the legal markets. In recent years in particular, this market has become really colourful due to its rapid diversification,” Pichlmayr continues. From “malware as a service” to targeted DDOS attacks on “websites of your choice” to corporate secrets from high finance that were stolen in an attack, everything a criminal heart desires can be bought, says Pichlmayr. The fact that “only” middle-class criminals have been observed to exploit the security gap is not good news per se.

“In this colourful market, where even the dumbest attackers still make money, far more potent players are active.” And their backdoors are far more difficult to discover, because this refers to the criminal upper class that attacks the financial sector, as well as the state actors. Attacks via this security gap have also been part of the standard repertoire of state actors from China and Iran for months. The North Korean Lazarus Group has had a special unit for years, which has brought in hundreds of millions of dollars in the country, which is notoriously weak in foreign exchange. This group known as “Bluenoroff” first plundered bitcoin exchanges and then specialized in ransomware extortion.

What happened at the University Clinic in Düsseldorf

On the night of September 11th, the information systems of the University Clinic in Düsseldorf partially failed, in particular the VPN gateways to the connected laboratories no longer worked. “The security gap was in a commercially available additional software that is widely used around the world. Until the software company finally closed this gap, there was a sufficient time window to penetrate the systems, ”said the Düsseldorf University Hospital. In fact, Citrix had taken its time with this critical software update, but a temporary solution was made available very quickly. Of course, there is nothing of this in the hospital’s official declaration. However, it is also clear that the systems were not set up again afterwards.

This case also does not bear the signature of highly professional actors. The perpetrators were convinced that they had attacked a university, the extortion letter left behind was addressed to the Heinrich Heine University in Düsseldorf. When they could be reached and learned that they had caught the largest emergency hospital far and wide, they provided the keys and disappeared. The failure of the VPN gateways, however, had fatal consequences. Since the clinic could no longer accept new cases, it had to be bypassed extensively. As a result, a patient died on the way to a distant hospital, the public prosecutor’s office has been investigating ever since.

Share this Post