We’re dung for! Hackers hit firms with ransomware by exploiting Shitrix flaw

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

We're dung for! Hackers hit firms with ransomware by exploiting Shitrix flaw

About two weeks ago alarm bells rang over a newly-discovered (and unpatched) flaw in Citrix servers. The vulnerability, technically dubbed CVE-2019-19781 but also known as “Shitrix”, was found to be present on Citrix Application Delivery Controller and Citrix Gateway servers (formerly known as Netscaler ADC and Netscaler Gateway respectively) commonly used on corporate networks.

Then we discovered hackers were seemingly-altruistically inoculating vulnerable servers from further Shitrix attacks, but actually at the same time opening a secret backdoor to allow future cybercriminal campaigns.

Things really took a bizarre twist when the Dutch press reported the threat of more traffic jams as government employees in The Netherlands were forced by the vulnerability to travel to work rather than log in remotely.

Sign up to our free newsletter.
Security news, advice, and tips.

And now? Now, with sad predictability, we’re getting the first reports of ransomware being planted by hackers exploiting the Shitrix flaw.

Specifically, researchers are reporting evidence that they have seen the REvil (also known as Sodinokibi) ransomware being planted by attackers. That’s the same ransomware which at the end of December hit Travelex so hard that they’re still trying to recover.

At the time of writing Citrix hasn’t finished issuing security patches for all of its vulnerable products (some are out, but others aren’t quite yet), but there really is no reason why businesses shouldn’t be considering as a matter of priority applying the various anti-Shitrix mitigation steps.

You may also want to consider trying out the free tool that Citrix has developed with FireEye to detect Indicators of Compromise based on based on known Shitrix attacks and exploits.

The tool can’t give you a clean bill of health, but it can warn you if it detects anything suspicious that it knows about.

It should go without saying that any businesses running vulnerable Citrix servers should not only follow these steps, but also apply security patches as soon as they are available.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.