So not friendly, then...
'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out. Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the …
COMMENTS
-
-
Saturday 18th January 2020 13:26 GMT Pascal Monett
How does that work ?
" In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation."
So basically these hackers can do a better job than AV vendors ? They're in the wrong business. They should create and sell an AV suite (they could call it HackerGuard). They'd make millions and it would all be legitimate.
-
This post has been deleted by its author
-
Sunday 19th January 2020 17:11 GMT chivo243
Re: How does that work ?
"So basically these hackers can do a better job than AV vendors ? They're in the wrong business. They should create and sell an AV suite (they could call it HackerGuard). They'd make millions and it would all be legitimate."
I thought the same thing before, with out the branding. But being a small fish (with skillz) in a very big pond, I wouldn't want to upset the bigger fish in the old neighborhood, so to speak
-
Sunday 19th January 2020 18:45 GMT Anonymous Coward
Re: How does that work ?
"So basically these hackers can do a better job than AV vendors?"
The hackers have piggybacked on someone else's discovery of a security flaw to get access to Netscaler devices and "secure them" for there own purposes.
This isn't a comparison with either AV companies or security researchers - it's effectively a group of above average script kiddies at this point in time.
Given that many Netscalers run as reverse proxies and have higher than average levels of access to internal systems (i.e. generally access across multiple internal systems including authentication servers AND likely have credentials to get you onto those authentication servers for scanning Active Directory/LDAP, the potential to go further exists.
If these Netscalers are used for DDoS against games companies, we know the level of script kiddy involved. If instead they are used as gateways to larger compromises and, in particular, ransomware extortion, we might be looking at a bit more than script kiddies.
-