On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.

Mass scanning activity detected from 82.102.16.220 (🇩🇪) checking for Citrix NetScaler Gateway endpoints vulnerable to CVE-2019-19781. Affected organizations are advised to apply the mitigation steps provided by Citrix as no patch exists yet. https://t.co/weFVYpEWi2#threatintel pic.twitter.com/mTfky68JEh — Bad Packets Report (@bad_packets) January 10, 2020

The activity detected from 82.102.16.220 attempted to download the “smb.conf” file. This configuration file doesn’t appear to contain highly sensitive information by default, however a successful response to the scan will indicate the targeted server is vulnerable to further attacks.

On Sunday, January 12, 2020, our honeypots detected multiple CVE-2019-19781 exploit attempts from a host in Poland. This differed from the previous scanning activity as it conducted the actual remote code execution exploit and targeted ports 443, 2083, 2087, and 8443/tcp.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 156.17.191.239 (🇵🇱) checking for Citrix (NetScaler) Gateway servers vulnerable to CVE-2019-19781. Ports targeted: 443, 2083, 2087, & 8443/tcp Mitigation steps to prevent compromise: https://t.co/c9f22TfP2K #threatintel pic.twitter.com/QCUxDrbl9Z — Bad Packets Report (@bad_packets) January 12, 2020

Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781.

How many hosts are vulnerable to CVE-2019-19781?

Using data provided by BinaryEdge, we scanned over 60,000 Citrix endpoints to determine which were vulnerable. On Saturday, January 11, 2020, our scans found a total of 25,121 unique IPv4 hosts worldwide vulnerable to CVE-2019-19781. Of these results, we cataloged 18,155 SSL certificates with unique domain names.

No sensitive information was disclosed or recorded during our scans as we only sent a HTTP HEAD request to confirm the vulnerability.

Where are the vulnerable servers located?

Vulnerable hosts were found in 122 countries around the world.

This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Citrix endpoints were located in the United States.

What type of organizations are affected by CVE-2019-19781?

4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:

Military, federal, state, and city government agencies

Public universities and schools

Hospitals and healthcare providers

Electric utilities and cooperatives

Major financial and banking institutions

Numerous Fortune 500 companies

How is CVE-2019-19781 exploited and what is the risk?

This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.

Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.

Closing Remarks

Organizations using vulnerable Citrix ADC and Citrix (NetScaler) Gateway servers should immediately follow the recommended mitigations steps or upgrade to fixed versions prevent compromise. As of January 24, 2020, Citrix has released firmware updates for all products affected by CVE-2019-19781. Given the criticality (CVSS score: 9.8) coupled with the risk of unauthorized access to private networks, there’s little time to take action before threat actors exploit vulnerable servers further. Multiple open source tools are available to locate IOCs and other artifacts left over from exploit activity. CISA has provided procedures and tools for detecting a CVE-2019-19781 compromise.

How to obtain our CVE-2019-19781 report

Due to the sensitive nature of this vulnerability, the affected Citrix endpoints detected by our scans will not be shared publicly. However, the list is freely available for authorized government CERT, CSIRT, ISAC, and law enforcement teams to review. FIRST Team membership is preferred, but not required.

A feed of hosts conducting CVE-2019-19781 related scans and exploit activity is available for our Research and Enterprise CTI customers. Commercial licenses are also available for our vulnerability data, please contact us for more information.

We’ve shared our findings directly with US-CERT (CISA/DHS) and other U.S. federal law enforcement agencies for further investigation and remediation. Additionally, we notified these organizations: ACSC, aeCERT, Amazon SIRT, AusCERT, CareCERT, CCCS, CCN-CERT, CERT Nazionale Italia, CERT NZ, CERT Orange Cyberdefense, CERT POLSKA, CERT.at, CERT.be, CERT.br, CERT-EE, CERT.hr, CERT.LV, CERT.PT, CERT/CC, CERT-Bund, CERT-FR (ANSSI), CERTGOVIL, CERT-In, CERT-MX, CERT-SE, CFCS-DK, CIRCL.LU, CNCERT/CC, colCERT, CSIRT BNP Paribas, CSIRT-DSP, Deutsche Telekom CERT, DKCERT, ECS-CSIRT, E-ISAC, FSA SOC (ed.gov), FS-ISAC, GovCERT.ch, GovCERT.CZ, GovCERT.HK, GOVCERT.LU, H-ISAC, HKCERT, ICIC-CERT, INCIBE-CERT, IRISS-CERT, JPCERT/CC, KN-CERT, KPN-CERT, Legal-ISAC (NL), MSCERT (MSRC), MS-ISAC, MyCERT, NCIIPC, NCIS (DoD), NCSC, NCSC-FI, NCSC-IE, NCSC-NL, NCSC-NZ, NorCER, NTT-CERT, Q-CERT, REN-ISAC, RT CERT, RU-CERT, SANReN CSIRT, Saudi CERT, SingCERT, SUNet CERT, ThaiCERT, TTCSIRT, TWCERT/CC, TWNCERT, VECIRT, WFC SOC, YOROI-CSDC, and Z-CERT.

This list will be updated frequently as notifications are still ongoing by Bad Packets.

Follow-up CVE-2019-19781 Scans

January 31, 2020 scan results: 7,133 vulnerable Citrix servers detected worldwide

February 14, 2020 scan results: 5,915 vulnerable Citrix servers detected worldwide

Total Citrix servers vulnerable to CVE-2019-19781 by country:

🇺🇸 United States 2,660

🇬🇧 United Kingdom 388

🇦🇺 Australia 287

🇨🇳 China 273

🇩🇪 Germany 185

🇨🇦 Canada 177

🇫🇷 France 173

🇮🇹 Italy 159

🇧🇷 Brazil 109

🇸🇪 Sweden 82

All others: 1,422https://t.co/YAoBD6axht — Bad Packets Report (@bad_packets) February 15, 2020