Blog

Threat Finds

Crypto

Using AI to detect a bitcoin mining campaign leveraging Citrix Netscaler vulnerabilities

Using AI to detect a bitcoin mining campaign leveraging Citrix Netscaler vulnerabilitiesDefault blog imageDefault blog image
27
Jan 2020
27
Jan 2020

Over the last 14 days, Darktrace has detected at least 80 different customers all targeted by the same CVE-2019-19781 vulnerability — affecting the Citrix ADC (Citrix Application Delivery Controller) and Citrix Gateway solution for public cloud. Customers operating Darktrace Antigena in ‘active mode’ have all seen that this attack was neutralized within seconds.

According to the National Cyber Security Centre, the exploitation of this vulnerability allows an ‘unauthenticated attacker to perform arbitrary code execution’. While Citrix has released mitigation advice, patches are just being rolled out. This unfortunately left a critical window of time, during which the attackers could exploit the vulnerabilities. However, Darktrace’s immune system technology can effectively halt the attack and contain the damage.

This blog post outlines the attack lifecycle of a campaign exploiting the Citrix vulnerabilities to download crypto-mining malware. It is interesting to see how quick the cyber-criminals were to weaponize the Citrix exploits with crypto-mining payloads for generating profit. It shows that AI-powered Autonomous Response is pivotal in today’s fast-moving threat landscape, where patches might not be available or might take weeks to install safely.

Breaking down the attack lifecycle

The following description of the observed attack stages demonstrates how Darktrace Antigena’s independent and immediate action stops the attack in its tracks, provides visibility of the complete attack lifecycle, and significantly reduces security teams’ investigation time into this activity.

  1. Darktrace’s detection capabilities highlight the steps taken by exploited Citrix Netscaler devices executing shell commands.
  2. These devices begin by receiving HTTP POST requests to URIs that are vulnerable to directory traversal attacks, for example /vpn/…/vpns/cfg/smb.conf. This is visible in the below details provided by Darktrace.

Figure 1: A screenshot of the requests on a particular device

  1. These POST requests are followed by high confidence alerts created by Darktrace – the attack behavior was very similar in different targeted organizations. The high-confidence alerts were equally similar, regardless of the target, as the attack behavior was the same.
  2. Code execution is triggered, leading to the download of shell scripts and other malware with the end-goal of running crypto-mining malware.

Some of the high-confidence alerts are:

  • Compromise / High Volume of Connections with Beacon Score – used to identify command and control traffic
  • Compliance / Pastebin – triggers during suspicious and unusual Pastebin activity
  • Compliance / Crypto Currency Mining Activity
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint – indicating unsuccessful command and control traffic attempts
  • Anomalous File / Script from Rare External – indicating the download of a script file from a location on the internet that is not commonly visited by the targeted organization (often this is the initial infection or a later-stage payload)

In one example, a gateway device was seen downloading a shell script from a rare external endpoint in Russia, with a /ci.sh URI.

Figure 2: Darktrace’s Threat Visualizer showing an endpoint with 100% rarity

Next, compromised devices have been observed downloading an executable file from Ukraine (http://217.12.221[.]12/netscalerd), containing an ELF:BitCoinMiner Malware, triggering the cryptocurrency mining and command and control beaconing alerts.

Figure 3: The Anomalous File / EXE from Rare External Location alert triggered by C2 traffic

Figure 4: Darktrace showing further details about the downloaded malware

An immediate response

However, Darktrace Antigena kicks in as the machine defender, eliminating the incoming threat by blocking miner file downloads and activity for about a day. This offers the customer ample time to react to this anomalous activity and halts the malware’s spread to other devices. Intervening with surgical precision, Antigena stops the malicious activity while allowing normal business processes to continue.

Figure 5: Chronological sequence (bottom to top) of alerts and Antigena actions on the vulnerable device

Lessons for the future

The exploitation of Citrix ADC’s vulnerability has understandably caused concern across the security community. Based upon the cumulation and nature of alerts triggered, the malware aims to mine cryptocurrency like so many other campaigns these days.

On the other hand, and perhaps more importantly here, this recently discovered vulnerability strengthens the case for Autonomous Response and its proven ability to prevent novel attacks.

At Darktrace we are often asked how we detect zero-day exploits. Every stage in the attack lifecycle – from the execution of Pastebin-sourced commands to performing internal reconnaissance and mining crypto with impunity – involved behavior that in some way deviated from the Enterprise Immune System’s learned ‘pattern of life’. Antigena neutralized these attacks without relying on pre-defined blacklists, and no new detections were created. By leveraging Cyber AI, the Bitcoin malware using the Citrix vulnerabilities was instantly contained – before any damage could be done to the customer.

Indicators of compromise

  • 185.178.45[.]221 (hosting malicious shell scripts)
  • 92.63.99[.]17 (mining pool)
  • 217.12.221[.]12 (hosting malware)

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max oversees global threat hunting efforts, working with strategic customers to investigate and respond to cyber-threats. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

share this article
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Using AI to detect a bitcoin mining campaign leveraging Citrix Netscaler vulnerabilities
Share
Twitter logoLinkedIn logo

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out this article by Darktrace: Using AI to detect a bitcoin mining campaign leveraging Citrix Netscaler vulnerabilities