Jump to content

Search the Community

Showing results for tags 'citrix'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 5 results

  1. Citrix adds NetScaler ADC setting to block recent DDoS attacks Citrix has released a feature enhancement designed to block attackers from using the Datagram Transport Layer Security (DTLS) feature of Citrix ADC and Gateway devices as an amplification vector in DDoS attacks. DTLS is a UDP-based version of the Transport Layer Security (TLS) protocol utilized to secure and to prevent eavesdropping and tampering in delay-sensitive apps and services. According to reports that have surfaced starting with December 21st, 2020, a DDOS attack used DTLS to amplify traffic from susceptible Citrix ADC devices dozens of times. "As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion," the company said in an advisory published on December 24th. "The effect of this attack appears to be more prominent on connections with limited bandwidth." Fix now available Citrix has now released a feature enhancement to remove the amplification vector on NetScaler ADC devices with Enlightened Data Transport UDP Protocol (EDT) enabled. The company's newly released DTLS feature enhancement adds a "HelloVerifyRequest" setting that will address the susceptibility to this attack vector and will block attempts made by attackers to abuse them in future DDoS attacks. The new builds with DTLS enhancement are available on the Citrix downloads page for the following ADC and Gateway versions: Citrix ADC and Citrix Gateway 13.0-71.44 and later releases NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases Citrix advises customers who use DTLS to upgrade their software and enable the "HelloVerifyRequest" setting in each DTLS profile using these instructions: List all DTLS profiles by running the command: show dtlsProfile For each DTLS profile, enable the “HelloVerifyRequest” setting by running the command: set dtlsProfile -HelloVerifyRequest ENABLED Save the updated configuration by running the command: savec To verify “Hello Verify Request” is enabled, run the command: show dtlsProfile If DTLS was disabled based on a previous version of this advisory, re-enable the DTLS profile by running following command: set vpn vserver -dtls ON. Temporary mitigation Impacted customers who cannot immediately install these new builds can also temporarily remove the amplification vector by temporarily disabling DTLS. To disable DTLS on affected Citrix devices you will have to issue the following command: set vpn vserver -dtls OFF. "Disabling the DTLS protocol may lead to limited performance degradation to real time applications using DTLS in your environment," Citrix said. "The extent of degradation depends on multiple variables. If your environment does not use DTLS, disabling the protocol temporarily will have no performance impact." While the scope of these DDoS attacks is limited to only a small number of Citrix customers, the company recommends admins to monitor their systems and always keep their appliances up to date. Source: Citrix adds NetScaler ADC setting to block recent DDoS attacks
  2. A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit. Last week, FireEye released a report about new attacks exploiting the now patched Citrix ADC vulnerability to install the new Ragnarok Ransomware on vulnerable networks. When attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability. If detected, the scripts would attempt to exploit the Windows devices, and if successful, inject a DLL that downloads and installs the Ragnarok ransomware onto the exploited device. After Head of SentinelLabs Vitali Kremez extracted the ransomware's configuration file, we were able to discover some interesting behavior not commonly seen in other ransomware, which we detail below. Excludes both Russia and China from encryption Many ransomware operations are created by developers based out of Russia or other CIS countries. To fly under the authority's radar, it is common for ransomware developers to exclude users in Russia and other former Soviet Union countries from being encrypted if they become infected. Ragnarok operates similarly by checking the installed Windows language ID and if it matches one of the following will not perform an encryption of the computer. 0419 = Russia 0423 = Belarus 0444 = Russia 0442 = Turkmenistan 0422 = Ukraine 0426 = Latvia 043f = Kazakhstan 042c = Azerbaijan Strangely, in addition to the CIS countries, Ragnarok will also avoid encrypting victims who have the 0804 language ID for China installed. Ransomware excluding both Russia and China at the same time is rare and it is not known if this being done as a decoy for law enforcement or if the ransomware operates out of both countries. Attempts to disable Windows Defender As Microsoft's Windows Defender has become a solid and reliable antivirus and security program, we are finding that numerous malware programs are attempting to disable or bypass it to more easily conduct malicious operations. For example, we have seen GootKit, TrickBot, and the Novter infections all utilizing some sort of Windows Defender bypass. It is rare, though, to see ransomware infections themselves attempt to disable the functionality of Windows Defender, which is what Ragnarok attempts. It does this by adding the following Windows group policies that disable various protection options in Windows Defender: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender "DisableAntiSpyware" = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection "DisableRealtimeMonitoring" = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection "DisableBehaviorMonitoring" = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection "DisableOnAccessProtection" = 1 The good news is that if you have Windows 10's Tamper Protection feature enabled, these methods will not work and Windows will simply ignore any attempts to bypass Windows Defender. In addition to Windows Defender, Ragnarok will also attempt to clear Shadow Volume Copies, disable Windows automatic startup repair, and turn off the Windows Firewall with the following commands: cmd.exe /c vssadmin delete shadows /all /quiet cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures cmd.exe /c bcdedit /set {current} recoveryenabled no cmd.exe /c netsh advfirewall set allprofiles state off Strange Unix file references Another strange aspect of this ransomware is the numerous references in the Windows executable to various Unix/Linux file paths such as: "no_name4": "/proc", "no_name5": "/proc/%s/status", "no_name8": "/tmp/crypt.txt", "no_name9": "/proc/%s", "rand_path": "/dev/random", "home_path": "/home/", It is not clear as of yet why these paths are included and what they are used for, but Kremez believes it could be a possible in-development cross-platform targeting being used by the attackers. "I believe "no_name5": "/proc/%s/status" specifically demonstrates that the actors are checking if the malware is running on the system via Unix command "/proc/[proccess_id]/status." Given that Citrix is exploited cross-platform and might be running on both Unix and Windows systems. This specific "no_name" setup allows the cross-platform targeting and checks for both Windows and Unix systems in mind. By and large, this targeting and any Unix payloads might be still in development; however, criminals behind Ragnarok appear to be as modular and adaptive as possible given this configuration setup to affect more systems," Kremez told BleepingComputer in a conversation. A standard encryption routine The rest of the Ragnarok encryption process is similar to what we see in other ransomware infections. When encrypting files it will use AES encryption and the generated key will be encrypted with a bundled RSA encryption key. This makes it so only the ransomware developers can decrypt the victim's encryption key. When scanning for files to encrypt, Ragnarok will skip any files that have the ".exe", ".dll", ".sys", and ".ragnarok" extensions. It will also skip any files whose path contains the following strings: content.ie5 \temporary internet files \local settings\temp \appdata\local\temp \program files \windows \programdata $ Each encrypted file will have the .ragnarok extension appended to the file name. For example, 1.doc would be encrypted and renamed to 1.doc.ragnarok. Folder encrypted by Ragnarok While encrypting the computer, it will create a ransom note in every traversed folder called !!ReadMe_To_Decrypt_My_Files.txt. This ransom note contains instructions on what happened to a victim's files, their encrypted decryption key, and three email addresses to contact for payment instructions. It is not known how many bitcoins the attackers are demanding for a decryptor. Ragnarok Ransom Note At this time, it appears that the Ragnarok's encryption can't be broken, but will be further researched for any weaknesses. Source
  3. As attacks begin, Citrix ships patch for VPN vulnerability Hundreds of US government agencies have vulnerable VPNs, data shows. Enlarge Igor Golovniov/SOPA Images/LightRocket via Getty Images On January 19, Citrix released some permanent fixes to a vulnerability on the company's Citrix Application Delivery Controller (ADC) and Citrix Gateway virtual private network servers that allowed an attacker to remotely execute code on the gateway without needing a login. The vulnerability affects tens of thousands of known VPN servers, including at least 260 VPN servers associated with US federal, state, and local government agencies—including at least one site operated by the US Army. The patches are for versions 11.1 and 12.0 of the products, formerly marketed under the NetScaler name. Other patches will be available on January 24. These patches follow instructions for temporary fixes the company provided to deflect the crafted requests associated with the vulnerability, which could be used by an attacker to gain access to the networks protected by the VPNs. Fermin J. Serna, chief information security officer at Citrix, announced the fixes in a blog post on Sunday. At the same time, Serna revealed that the vulnerability—and the patches being released—also applied to Citrix ADC and Citrix Gateway Virtual Appliances hosted on virtual machines on all commercially available virtualization platforms, as well as those hosted in Azure, Amazon Web Services, Google Compute Platform, and Citrix Service Delivery Appliances (SDXs). Lots to patch That makes for lots of work over the next few weeks for Citrix customers, which include thousands of government agencies, educational institutions, hospitals, and major corporations worldwide. As of last week, according to data provided by Bad Packets to Ars Technica, over 26,000 servers were still vulnerable to the crafted request. The data, including information on potentially vulnerable government VPN gateways, was shared by Bad Packets with the Cybersecurity and Infrastructure Security Agency. They included a gateway associated with a DOD civilian personnel system, the US Census service, and a number of local law enforcement agencies. Inevitably, hundreds of Citrix VPN servers will remain vulnerable for weeks or months. Some are already being attacked, according to reports from FireEye—with one attacker installing the mitigation settings to keep other attackers out and booting any other installed malware before setting up their own backdoor. Many of the exploits thus far have installed low-impact malware, including cryptocurrency mining software. But based on what happened with last year's Pulse Secure vulnerability, ransomware operators and other cybercriminals will soon join the hunt. Meanwhile, a member of the group operating the REvil ransomware campaign recently acknowledged that the group had attacked Travelex using the Pulse Secure vulnerability, according to security researcher Vitali Kremez. UNKN, the administrator of the REvil malware, claimed credit for the Travelex attack in a forum post on January 7 and said that Travelex executives needed to hurry up and pay, or customers' birth dates, Social Security numbers, and credit card data "would be sold to someone." Source: As attacks begin, Citrix ships patch for VPN vulnerability (Ars Technica)
  4. Hackers Were Inside Citrix for Five Months Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection. In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company’s internal network. The FBI told Citrix the hackers likely got in using a technique called “password spraying,” a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords. In a statement released at the time, Citrix said it appeared hackers “may have accessed and downloaded business documents,” and that it was still working to identify what precisely was accessed or stolen. But in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company’s systems. Citrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name. It is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company. Citrix’s letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that jeopardizes their personal and financial data. While the notification does not specify whether the attackers stole proprietary data about the company’s software and internal operations, the intruders certainly had ample opportunity to access at least some of that information as well. Shortly after Citrix initially disclosed the intrusion in March 2019, a little-known security company Resecurity claimed it had evidence Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, a claim Citrix initially denied but later acknowledged. Iranian hackers recently have been blamed for hacking VPN servers around the world in a bid to plant backdoors in large corporate networks. A report released this week (PDF) by security firm ClearSky details how Iran’s government-backed hacking units have been busy exploiting security holes in popular VPN products from Citrix and a number of other software firms. ClearSky says the attackers have focused on attacking VPN tools because they provide a long-lasting foothold at the targeted organizations, and frequently open the door to breaching additional companies through supply-chain attacks. The company says such tactics have allowed the Iranian hackers to gain persistent access to the networks of companies across a broad range of sectors, including IT, security, telecommunications, oil and gas, aviation, and government. Among the VPN flaws available to attackers is a recently-patched vulnerability (CVE-2019-19781) in Citrix VPN servers dubbed “Shitrix” by some in the security community. The derisive nickname may have been chosen because while Citrix initially warned customers about the vulnerability in mid-December 2019, it didn’t start releasing patches to plug the holes until late January 2020 — roughly two weeks after attackers started using publicly released exploit code to break into vulnerable organizations. How would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don’t know you should probably check, and then act on the results accordingly. It’s a fair bet the bad guys are going to find out even if you don’t. Source: Hackers Were Inside Citrix for Five Months (KrebsOnSecurity - Brian Krebs)
  5. Microsoft partners with Citrix to reimagine the "workplace of the future" Image via Citrix (YouTube) Earlier today, Microsoft announced a cloud-centric alliance with transportation services provider C.H. Robinson. Now, the tech giant has unveiled a multi-year agreement with Citrix, a firm that Microsoft has collaborated with multiple times in the past. The latest partnership aims to speed up other organizations' move to the cloud and digital workspaces, especially given how the COVID-19 pandemic has affected workplace situations worldwide. Under the terms of this agreement, Citrix has selected Azure as its preferred cloud platform, while Microsoft has opted for Citrix as its preferred digital workspace solution. As such, on-premise Citrix customers will be moved to Azure to assist with remote working. The primary components of this collaboration include providing organizations with a more agile enterprise and re-imagining the "workplace of the future". Microsoft CEO Satya Nadella elucidated his thoughts upon the partnership, noting: "As organizations everywhere adapt to new ways of work, they will need to reimagine how and where work gets done. Together with Citrix, we will apply the power of Azure to this challenge, helping our customers seamlessly and securely connect their employees to their applications, so they can be more agile and productive wherever they are." Both firms will develop a connected roadmap to make the transition process of application workloads to Azure more streamlined. Citrix will also work towards building a Microsoft-centric Citrix Workspace, with integrations that help optimize performance for services offered through both the Microsoft 365 platform and the Windows Virtual Desktop. The Citrix Workspace app is available for delivery on Azure starting today. You can learn about the finer details of this transition here, and download the app here. Microsoft partners with Citrix to reimagine the "workplace of the future"
  • Create New...