US: large number of organizations compromised through Citrix leak


Sunday 2 February 2020, 13:44 BRON:

Unknown attackers have succeeded in compromising a large number of organisations through the security breach in Citrix, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. government has reported. However, an exact number is not mentioned.

These are organisations that did not implement the available mitigation measures of Citrix on time. “If you have not applied the mitigating measures of Citrix or only after 9 January 2020, you can reasonably assume that your system has been compromised due to public exploits becoming known”, the National Cyber Security Centre (NCSC) of the Ministry of Justice previously stated. On January 10, 115,000 Citrix servers were still vulnerable to attacks. These organisations have been advised to draw up a recovery plan.

CISM warns that installing the security updates made available is not sufficient to restore already compromised systems. “Once attackers have gained access, they remain present even though the original attack vector is closed,” said the U.S. government agency. CISA has therefore provided technical details and other information that organisations can use to check if they have been compromised. It was previously known that attackers use the Citrix vulnerability to infect organizations with ransomware and infect systems with cryptominers.


Our advice is never to rearrange just anything without forensic investigation. Do you suspect that you have been a victim of this vulnerability or that your organisation has been hacked? Please contact the NFIR Incident Response team (088 – 323 0205).

An attacker may misuse the Citrix environment at a time when a Citrix environment has not yet been updated, without additional information such as login details being required. In addition, an attacker may attack the internal network behind the Citrix environment and gain access to sensitive systems.

When you set up a new Citrix installation and carry out the updates made available by Citrix, you have taken sufficient measures. However, if it concerns a Citrix environment that is not provided with the security updates on time (before 8 January 2020), we advise you to have forensic investigations carried out to rule out that the machine(s) have been compromised.

If your organisation has not applied the updates on time (before 8 January 2020), it is important to have forensic investigations carried out into the Citrix system that may have been affected. In addition, it is important to identify which systems (could) communicate with the affected Citrix system in order to preventively reset SSL certificates and passwords.

If your organisation has not carried out the updates made available to your Citrix system by 8 January 2020, or this system has one of the version numbers identified by Citrix as vulnerable, you should assume that your Citrix environment has been compromised. At that point, it is important to have forensic investigations carried out. As an additional measure, it is important to apply network monitoring to monitor network traffic. Possible attackers are detected much faster on the network.

Citrix crisis: Mitigating measures appear not to be working

The citrix crisis continues, mitigating measures do not appear to work in all cases – the NCSC advises additional measures.
By: Mischa Rick van Geelen

Have Security Monitoring implemented?

Security Information and Event Management (SIEM) and Security Operation Center (SOC) together processed in NFIR Insights,
our fully automated solution where you no longer interpret data yourself.

Security monitoring involves monitoring network traffic and analysing log files in order to detect threats, vulnerabilities and cyber attacks at an early stage. NFIR offers a fully automated solution, so that you no longer need to interpret data yourself. Via a dashboard you can view all notifications and take action if necessary.

NFIR Insights, our security monitoring service, analyses all data from the connected detection sources and displays that processed data in an easy to interpret dashboard environment. NFIR’s security monitoring specialists automatically process the log data received on the basis of use cases, which are determined together with the customer. When monitoring network traffic, all information, including reports of suspicious activity, ends up in a dashboard. This way you are quickly informed of activities on your network and you can intervene adequately in case of suspicious activities.

Monitoring your network can help detect malicious behaviour early on. If you want to protect your network, it is best to start monitoring your network. You gain insight into your network, you are quickly informed of suspicious activities and you can take appropriate action if a suspicious situation arises.

NFIR’s security monitoring specialists are working on the development of the Insights platform every week. They process the information from devices in your network and analyze it using machine learning and proven detection rules.

Various detection sources can be connected to NFIR Insights. You can think of IDS sensors, firewall logs, vulnerabilitiy scanners (external/internal), endpoint solutions and the like.