A Hacker is Patching Citrix Servers To Maintain Exclusive Access (zdnet.com) 10
Catalin Cimpanu, writing for ZDNet: Attacks on Citrix appliances have intensified this week, and multiple threat actors have now joined in and are launching attacks in the hopes of compromising a high-value target, such as a corporate network, government server, or public institution. In a report published today, FireEye says that among all the attack noise it's been keeping an eye on for the past week, it spotted one attacker that stuck out like a sore thumb. This particular threat actor was attacking Citrix servers from behind a Tor node, and deploying a new payload the FireEye team named NotRobin. FireEye says NotRobin had a dual purpose.
First, it served as a backdoor into the breached Citrix appliance. Second, it worked similar to an antivirus by removing other malware found on the device and preventing other attackers from dropping new payloads on the vulnerable Citrix host. It is unclear if the NotRobin attacker is a good guy or a bad guy, as there was no additional malware deployed on the compromised Citrix systems beyond the NotRobin payload. However, FireEye experts are leaning toward the bad guy classification. In their report, they say they believe this actor may be "quietly collecting access to NetScaler devices for a subsequent campaign."
First, it served as a backdoor into the breached Citrix appliance. Second, it worked similar to an antivirus by removing other malware found on the device and preventing other attackers from dropping new payloads on the vulnerable Citrix host. It is unclear if the NotRobin attacker is a good guy or a bad guy, as there was no additional malware deployed on the compromised Citrix systems beyond the NotRobin payload. However, FireEye experts are leaning toward the bad guy classification. In their report, they say they believe this actor may be "quietly collecting access to NetScaler devices for a subsequent campaign."
If you won't patch your own servers (Score:5, Insightful)
Someone else will be happy to do it in exchange for computing and network resources.
He's NotRobin... He's... (Score:1)
Batman.
Good guy hacker confirmed.
Re: (Score:2)
Could be a three letter agency doing something that is illegal and whilst they are there, they can not help themselves, their nature, doing a bit of sniffing around for evidence of criminal activity.
Why even try? (Score:2)
Hire this person (Score:2)
Have them remove the back door part but implement the "preventing other attackers from dropping new payloads on the vulnerable Citrix host" piece.
Re: (Score:3)
Ancient Citrix attack: enter "//" for the passwd!! (Score:2)
A "feature" of the login in the OS/2 version of Citrix software (so, no risk to current releases) was that one could change one's password WHILE logging in.
To do so, one types the existing password; then a "/"; then the new password; then a "/"; and then the new password again.
Turned out there was an untested code path that, if both new passwords were empty? It would assign the empty string as the new password, EVEN IF the existing password was wrong!
So, in order to obtain root access to a Citrix Multiuser
resources are getting scarce (Score:2)
If there is anything I have learned,
having exclusive access to a highly valued resource is extremely coveted.
think about a perfect moonshine cave, You would clean it up, fix the water so you could have easier access, maybe bore a hole upwards to have a heat escape vent and you would be armed to the teeth to protect it from others.
same concept, this guy is making his server army, keeping it healthy and getting it ready for an attack.