Click For Photo: https://regmedia.co.uk/2018/07/16/hacker_shutterstock.jpg
Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.
Gesture - Way - Others - Boxes
Obviously, this is less of a noble gesture and more of a way to keep others out of the pwned boxes.
"Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts," the FireEye team explained.
NOTROBIN - Access - Passphrase - FireEye - Actor
"But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign."
That the attackers would think to mitigate the bug is hardly surprising given the number of hackers believed to be scanning for and targeting the bug. It would make sense to take a compromised server off the map, so to speak, for other groups trying to exploit the so-called 'Shitrix'...
Wake Up To Breaking News!
Never under estimate the power of the people, especially when they are a stupid mass!