'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind

www.theregister.co.uk | 1/17/2020 | Staff
Night987Night987 (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2018/07/16/hacker_shutterstock.jpg

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

Gesture - Way - Others - Boxes

Obviously, this is less of a noble gesture and more of a way to keep others out of the pwned boxes.

"Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts," the FireEye team explained.

NOTROBIN - Access - Passphrase - FireEye - Actor

"But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign."

That the attackers would think to mitigate the bug is hardly surprising given the number of hackers believed to be scanning for and targeting the bug. It would make sense to take a compromised server off the map, so to speak, for other groups trying to exploit the so-called 'Shitrix'...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Never under estimate the power of the people, especially when they are a stupid mass!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!