From the DATASHIELD Resource Library:
This post is an informational announcement detailing the Citrix NetScaler Vulnerability and what DATASHIELD is doing to help our customers detect and mitigate the issue.
Jan 17, 2020
Since the announcement of the vulnerability in Citrix devices (CVE-2019-19781) DATASHIELD has performed extensive analysis and research on exploit attempts, attack patterns, and the latest intelligence. Citrix released security bulletin CTX267027 containing information on a vulnerability in various Citrix Products. This allows an unauthenticated attack that allows remote code execution.
It is currently difficult to determine the exact origin of an attack against Citrix devices using the CVE-2019-19781 vulnerability. Attacks are encrypted and are therefore difficult to detect without packet capture with decryption solutions, making traditional web attack detection methods less useful and reliable. The best method for detection of this type of attack is to monitor for unexpected connections from Citrix devices to out-of-country IPs. For those with global operations, whitelisting certain IPs or IP ranges may be necessary.
C2 traffic typically consists of payload retrieval that contains a shell, script, or other backdoor. This is often observed in plaintext and is the most readily identifiable indication of an attack.
No official patch is currently available, although Citrix mitigations are available for the following Citrix ADC, Citrix Gateway, NetScaler Gateway, and Citrix NetScaler ADC devices:
Some suggestions for mitigation and containment include:
Remediation is expected to take the form of a complete wipe and rebuild of any infected Citrix devices.
Citrix has stated a wipe tool will be available by the end of day on January 16th and will announce when it is available. DATASHIELD recommends applying the mitigation immediately if devices are not affected by infection.
If they have been impacted, we recommend standing up isolated, fresh builds of the required devices with the mitigation applied, deploying the fresh builds, and then stand down the infected builds.