The computer security company recently published a report on a hacker group using a Citrix Netscaler security vulnerability.
This vulnerability was discovered exactly during last December. As a major process, this group of hackers first sets out to remove any computer program installed by another group of competing or non-competing hackers. The goal is to clear the field. Clear the ground to carry out its own actions.
This article will also interest you: More than 1 billion malware blocked by Google Play Protect
The facts date back to December 2019. The Citrix application Delivery Controller application was affected by a vulnerability deemed critical as well as Netscaler Gateway. The security breach was registered CVE-2019-19781. It allowed hackers to remotely execute malicious codes on the various affected terminals. In particular, terminals that have not received the various security patches. As we already know, Citrix has not actually produced a correction update but just measures to get around the problem and at the same time protect certain sections affected by the vulnerability.
Unfortunately some hackers were able to find the parade. Especially since the end was discovered, some exploits could be executed and even published on the canvas. This, of course, benefited many hackers who were able to learn from it throughout the month of January. This, too, has challenged cybersecurity experts who have repeatedly warned that hackers are thoroughly analyzing the various citrix ADP bodies in order to find ways to circumvent the protections.
Even though some hackers have FireEye has been interested in a particular group. The group which used the CVE-2019-19781 security flaw, the modus operandi of which is pretty special. Using the security flaw, they take control of the affected Gateways. Their particularity lies in the fact that rush like their fellow humans to install their malware on the targeted terminals. Before doing it, he spends some time analyzing the facilities they target. during this step it gets rid of all the other malware that could make it difficult for them to do so. A kind of cleaning of the competition.
After this first step concluded. they will install their own malware called NotRobin. Name given by FireEye. This malware has a peculiarity that will consist not only ensure that no other pirate programs install on the target terminal. However, he will resume his lead role. Later because as malware its purpose is not to protect the terminal it targets. Let's say it's just a way to have exclusivity. This will allow the publishers of this program to install other programs to control the devices they have infected. "FireEye believes that the actor behind NOTROBIN has opportunistically compromised NetScaler devices, perhaps to prepare for a future campaign. They remove other known malware, perhaps to avoid detection by administrators who check their devices after reading the Citrix CTX267027 security bulletin. NOTROBIN blocks the operation of CVE-2019-19781 on compromised devices, but retains a backdoor for an actor with a secret key," said William Ballenthin and Josh Madeley of FireEye researchers in a blog post.
Now access an unlimited number of passwords: