Friday, January 22, 01:31
Home security Hackers close Shitrix security hole for everyone except ...

Hackers close the Shitrix security hole for everyone except themselves

Just a week ago, it was revealed that hackers were exploiting a vulnerability to compromise the VPN gateways used by many businesses worldwide.

Vulnerability, officially known as CVE-2019-19781 but unofficially called "Shitrix", was found on the servers Citrix Application Delivery Controller and Citrix Gateway (known as Netscaler ADC and Netscaler Gateway respectively) but so far Citrix has not released another patch.


Well, there is good news and bad news.

First the good news:

Hackers exploit Shitrix bug to gain access to vulnerable servers, clean up known ones malware infections (such as cryptocurrency mining code) for account and implement the recommended Citrix mitigation measures to prevent future exploit exploitation efforts.

Well, that sounds a bit, isn't it?

So here's the bad news:

As FireEye researchers describe, the mitigation code executed by the team hacking to protect Citrix servers from further exploitation contains a secret backdoor.

In short, hackers have locked other hackers out of vulnerable servers - but not themselves.

The FireEye team has compiled the previous payload installed by the hackers, NOTROBIN.

"FireEye believes that hackers are developing NOTROBIN to prevent the exploitation of the vulnerability of CVE-2019-19781, while maintaining backdoor access to compromised NetScaler devices. Mitigation works by deleting the incremental exploit code found within NetScaler standards before it can be used. However, when the hacker provides the hardcoded key during the subsequent exploitation, NOTROBIN does not remove the payload. This allows the hacker to regain access to the vulnerable device later. ”

"In many investigations, FireEye tracked the hackers who developed NOTROBIN with unique keys. For example, we have recovered about 100 keys from different binaries. These look like MD5 hashes, although FireEye failed to retrieve any plain text. The use of complex, unique keys makes it difficult for third parties, such as competing intruders or FireEye, to easily detect NetScaler devices "protected" by NOTROBIN. This hacker follows a strong password policy! ”

NOTROBIN can successfully inoculate vulnerable devices from Shitrix attacks, but can also open these devices in future campaigns for criminal activities at cyberspace. This is not very similar to the behavior of "Robin Hood" to me.

It's always better to defend your systems yourself or have someone you trust do it for you, rather than having an unknown gang of hackers clean up the mess. After all, you can't be sure they won't have subjects Incentives.

Citrix has promised firmware updates for vulnerable systems by the end of the month.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...