Threat Advisory: HG Updates on Citrix vulnerability – CVE-2019-19781

January 24, 2020

Over the past month, Herjavec Group has been supporting clients impacted by the vulnerability (CVE-2019-19781) impacting multiple versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. 

CVE-2019-19781 is a directory traversal exploit that involves adversaries initiating a large scan upon discovery of a successful connection, then dropping files onto the infected system. This establishes a backdoor allowing the adversaries to maintain connection and infiltrate the system. An attacker could exploit CVE-2019-19781 to take control of an affected system.
 
Following the connection, enterprises may see:
  • Cryptominer installation
  • An SSL connection to establish a covert channel
  • Attempted connections to data management systems
  • SQL injections against databases
  • Attempts to exploit other vulnerabilities
Herjavec Group is reminding all enterprise customers to patch diligently in order to protect against this scanning activity. A permanent fix against CVE-2019-19781 has been released and should be immediately actioned. We are proactively working with customers to ensure the appropriate patches are in place.
 
We are also creating custom alerts based on relevant IOC detections, and IPS signature compromises across our Managed Security Services customer base to advance their applicable detection ability against the Citrix vulnerability attacks. While the IOCs that are publicly available can be alerted on, they mainly capture scanners and would need to be changed over time in order to recognize more advanced patterns of activity.
 
HG recommends a more tailored approach leveraging custom alerts targeting IPS signature compromise as a preferred detection technique.
 
For more information on these custom alerts, our Managed Security Services SOC Support, Security Engineering Ability, or Incident Response Practice, please connect with us.

If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn