Breach Spotlight: Citrix

Get to Know Scott Augenbaum

Breach Spotlight: Citrix

It seems that everyday there is another story going on about a breach of some sort in the news. I’m not sure what’s scarier at this point; the amount of breaches or the fact that most people don’t seem to notice anymore. Some make the headlines; some don’t seem to get a lot of play. 

Either way it’s becoming so common that a lot of us just brush it off, not really realizing the detrimental effect this can, and will have.

There was some buzz a few weeks ago about a recent Netscaler vulnerability (CVE-2019-19781). There are an estimated 25,000 compromised (e.g. hacked) Citrix systems on the Internet at this time. While the numbers are staggering, what is not being discussed are the results of such large-scale attacks. Numerous bad actors are targeting these systems for various campaigns such as these. Such compromised systems will continue to be talked about in the coming months and years. There’s no telling where this will all lead; from learning of data being used by other state sponsored groups, to hearing that another organization can’t access their data due to ransomware, one thing is for sure. 

If you did not immediately implement mitigation steps, there is a good possibility that you are already compromised. 

I spoke to one of my law enforcement buddies about this issue and he seemed extremely concerned about the situation, considering the amount of compromised systems. I am the first one to admit that I do not have all the answers or even some of the answers to technical questions. 

But I take pride in having access to some of the greatest minds who know how to keep corporate networks safe. 

I picked up the phone and called my good friend Robert Banniza who has been in the trenches handling information security for years in the healthcare space. I asked Robert what a company should do to mitigate this threat that doesn’t involve going out and spending money on a consultant or product or service. In the back of my mind my voice was already blabbing a response to my own question- that we need to do the basics and fundamentals first.

Here is Robert’s brilliant take on the issue:

The Recent FBI Flash (AC-000116-TT) posted on January 31, 2020 provides some great detail as to background, indicators of compromise, and recommendations. If you have not read the Flash nor patched your Citrix environment, the following next steps are a must:

1)      Patch immediately if possible.

  1. See https://support.citrix.com/article/CTX267027 for available patches

2)      Perform the following mitigation steps if your organization has a formal downtime schedule for patching

  1. See https://support.citrix.com/article/CTX267679 for these steps
  2. Verify mitigation steps are implemented with the following tool: https://support.citrix.com/article/CTX269180

3)      Download and run the tool from Fireeye that searches for indicators of compromise (IoC) associated with attacker activity

  1. https://github.com/fireeye/ioc-scanner-CVE-2019-19781/

If your IT organization would like to be alerted of these types of vulnerabilities early, consider the following sources:

  1. Sign up to receive CItrix alerts
  2. If in the Healthcare industry, sign up for the CyberHealth Mailing List. You must be an Infragard Member (your Infragard Chapter can provide details)
  3.  For your technical IT staff, they can subscribe to the Full Disclosure Mailing List

Lastly, communication and awareness are notably just as important as the patch itself. Having staff beyond your Information Security personnel know that Information Security can save your organization millions in fines, penalties and legal disputes, is priceless in itself. Within your IT department there is no substitution for the trust that is built while working together to accomplish a mission. If your Information Security staff isn’t building bridges with the rest of organization, question why as it’s the first step to firing on all cylinders.

This was some great information, and it reinforces so many important points. We, as organizations, cannot control vulnerabilities in existing software; these things happen and will continue to happen. However, we can control how we respond. Robert gave us a number of steps to take that do not involve going out and spending money.

I’ve said it once, and I’ll say it again- we continue to throw money at all of our cybersecurity problems, but the problem is getting BIGGER. 

Why are we spending MORE and the problem is getting WORSE? 

Because that’s not the answer. It all starts with us- understanding these threats, being educated on how to mitigate these situations, and continual training as technology continues to change. These steps are crucial to keeping ourselves, our families, and our organizations safe! Thanks so much to Robert Banniza for his contribution and insight. 

If you need more information about how to keep your organization safe, contact me here. Together we can take the steps to mitigate your risk, and avoid you and your business from becoming the next victim! 

Leave a Reply

Your email address will not be published. Required fields are marked *