back to article 'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind

Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out. Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the …

  1. cbars Silver badge

    So not friendly, then...

    1. Anonymous Coward
      Anonymous Coward

      Who's a good boy?

      My attack dog is very friendly. It being in your house is your problem.

  2. davidp231

    Sooo...

    Anything related to Windows Update (TrustedInstaller, I'm looking at you), could fall under this?

    "Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100 per cent of the CPU,"

    1. Anonymous Coward
      Anonymous Coward

      Re: Sooo...

      Or Chrome trying to run 2 tabs at once.

      1. tiggity Silver badge

        Re: Sooo...

        Or lots of anti virus "solutions"

  3. Pascal Monett Silver badge

    How does that work ?

    " In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation."

    So basically these hackers can do a better job than AV vendors ? They're in the wrong business. They should create and sell an AV suite (they could call it HackerGuard). They'd make millions and it would all be legitimate.

    1. This post has been deleted by its author

    2. chivo243 Silver badge

      Re: How does that work ?

      "So basically these hackers can do a better job than AV vendors ? They're in the wrong business. They should create and sell an AV suite (they could call it HackerGuard). They'd make millions and it would all be legitimate."

      I thought the same thing before, with out the branding. But being a small fish (with skillz) in a very big pond, I wouldn't want to upset the bigger fish in the old neighborhood, so to speak

    3. Anonymous Coward
      Anonymous Coward

      Re: How does that work ?

      "So basically these hackers can do a better job than AV vendors?"

      The hackers have piggybacked on someone else's discovery of a security flaw to get access to Netscaler devices and "secure them" for there own purposes.

      This isn't a comparison with either AV companies or security researchers - it's effectively a group of above average script kiddies at this point in time.

      Given that many Netscalers run as reverse proxies and have higher than average levels of access to internal systems (i.e. generally access across multiple internal systems including authentication servers AND likely have credentials to get you onto those authentication servers for scanning Active Directory/LDAP, the potential to go further exists.

      If these Netscalers are used for DDoS against games companies, we know the level of script kiddy involved. If instead they are used as gateways to larger compromises and, in particular, ransomware extortion, we might be looking at a bit more than script kiddies.

      1. Richard 12 Silver badge

        Re: How does that work ?

        And the vast majority of intrusions will go unreported.

        Perhaps undetected, too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like