BLOG: 12 Vulnerabilities of Christmas CVE-2019-19781
Having reportedly caused the death of a hospital patient and used to compromise organisations researching COVID-19, CVE-2019-19781 is potentially one of the deadliest vulnerabilities tracked by Orpheus, earning itself a maximal OVS score of 100.
CVE-2019-19781 is a directory traversal vulnerability affecting different versions Citrix Application Delivery Controller (ADC) and Gateway, allowing attackers to write a file on disk remotely and without authentication in addition to arbitrary code execution. With a high potential for rapid lateral movement and compromise of further assets, the vulnerability immediately attracted the attention of ransomware operators and state actors alike.
The vulnerability was originally disclosed by Citrix on 17 December, 2019. Proof of Concept (PoC) code appeared on GitHub as soon as 11 January, 2020, enabling threat actors to easily integrate exploits into their operations and malware. Evidence surfaced shortly after that nation-state and cybercriminal actors started mass scanning for vulnerable instances. One of the first confirmed instances of exploitation came with a cyberattack targeting the city of Potsdam, Germany, on 24 January 2020.
Due to the nature of the vulnerability, which would allow attackers to control compromised VPN hosts and rapidly move laterally across organisations’ networks and devices, the vulnerability was swiftly exploited by ransomware operators. On 24 January 2020 Sodinokibi compromised Gedia Automotive Group, a German automobile manufacturer, which saw its stolen data and access to the compromised servers sold on dark web marketplaces shortly after the infection. The vulnerability was then exploited by DoppelPaymer on 26 January, Ragnarok on 30 January, , Nemty Ransomware-as-a-Service (RaaS) on 5 May 2020 and Maze ransomware on 8 June 2020.
A ransomware attack on the University Hospital Dusseldorf on 10 September 2020 which exploited the vulnerability has been blamed for the death of a patient as a result of the loss of availability of systems after the infection, highlighting the potential disruptive impact of these incidents on healthcare providers.
In addition to the obvious benefits for ransomware actors, CVE-2019-19781 also presented an opportunity for nation-state threat actors to infiltrate vulnerable targets for intelligence collection. Iranian group OilRig was the first to be observed exploiting the vulnerability on 16 February 2020 to target organisations in a variety of industries and sectors, including government entities, security, aviation, oil and gas, telecommunications and security. Another Iranian group, Pioneer Kitten, was also seen using the vulnerability in September 2020 after advertising compromised Citrix servers on cybercriminal forums.
Reports in March 2020 revealed that Chinese threat actor APT41 had been conducting cyber espionage campaigns between 20 January 2020 and 11 March 2020 which leveraged the vulnerability to target organisations in 20 different countries and across all sectors. A suspected Chinese state operation also targeted Australian organisations in June 2020. Following the suite of Iranian and Chinese threat actors, Russian group APT29 also exploited the vulnerability to target UK and US organizations conducting research on COVID-19 vaccines in July 2020.
Despite the continued exploitation of CVE-2019-19781 by threat actors with potentially lethal or disastrous consequences for organisations and healthcare entities, Shodan data shows that up to 771 vulnerable servers are still operating around the world. A majority of these are located in the United States (233), followed by China (90), South Korea (50) and Taiwan (35).
In light of continued exploitation of this vulnerabilty by ransomware operators and state actors as well as current exposure of vunlerable servers worldwide, we urge organisations using affected Citrix products to apply the following mitigaiton advice in order to prevent exploitation by attackers:
Upgrade Citrix ADC and Gateway to the latest available version
Obfuscate server HTTP banners and close open ports in order to minimise malicious scanning activity for vulnerable hosts
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
