How AI Can Detect Bitcoin Mining Attack Via Citrix Flaw
26
Jan 2020
Discover how Darktrace AI stops bitcoin mining attacks via Citrix flaws. Learn about the power of Autonomous Response against cyber threats. Read now!
Over the last 14 days, Darktrace has detected at least 80 different customers all targeted by the same CVE-2019-19781 vulnerability — affecting the Citrix ADC (Citrix Application Delivery Controller) and Citrix Gateway solution for public cloud. Customers operating Darktrace Antigena in ‘active mode’ have all seen that this attack was neutralized within seconds.
According to the National Cyber Security Centre, the exploitation of this vulnerability allows an ‘unauthenticated attacker to perform arbitrary code execution’. While Citrix has released mitigation advice, patches are just being rolled out. This unfortunately left a critical window of time, during which the attackers could exploit the vulnerabilities. However, Darktrace’s immune system technology can effectively halt the attack and contain the damage.
This blog post outlines the attack lifecycle of a campaign exploiting the Citrix vulnerabilities to download crypto-mining malware. It is interesting to see how quick the cyber-criminals were to weaponize the Citrix exploits with crypto-mining payloads for generating profit. It shows that AI-powered Autonomous Response is pivotal in today’s fast-moving threat landscape, where patches might not be available or might take weeks to install safely.
Breaking down the attack lifecycle
The following description of the observed attack stages demonstrates how Darktrace Antigena’s independent and immediate action stops the attack in its tracks, provides visibility of the complete attack lifecycle, and significantly reduces security teams’ investigation time into this activity.
Darktrace’s detection capabilities highlight the steps taken by exploited Citrix Netscaler devices executing shell commands.
These devices begin by receiving HTTP POST requests to URIs that are vulnerable to directory traversal attacks, for example /vpn/…/vpns/cfg/smb.conf. This is visible in the below details provided by Darktrace.
Figure 1: A screenshot of the requests on a particular device
These POST requests are followed by high confidence alerts created by Darktrace – the attack behavior was very similar in different targeted organizations. The high-confidence alerts were equally similar, regardless of the target, as the attack behavior was the same.
Code execution is triggered, leading to the download of shell scripts and other malware with the end-goal of running crypto-mining malware.
Some of the high-confidence alerts are:
Compromise / High Volume of Connections with Beacon Score – used to identify command and control traffic
Compliance / Pastebin – triggers during suspicious and unusual Pastebin activity
Compliance / Crypto Currency Mining Activity
Anomalous Connection / Multiple Failed Connections to Rare Endpoint – indicating unsuccessful command and control traffic attempts
Anomalous File / Script from Rare External – indicating the download of a script file from a location on the internet that is not commonly visited by the targeted organization (often this is the initial infection or a later-stage payload)
In one example, a gateway device was seen downloading a shell script from a rare external endpoint in Russia, with a /ci.sh URI.
Figure 2: Darktrace’s Threat Visualizer showing an endpoint with 100% rarity
Next, compromised devices have been observed downloading an executable file from Ukraine (http://217.12.221[.]12/netscalerd), containing an ELF:BitCoinMiner Malware, triggering the cryptocurrency mining and command and control beaconing alerts.
Figure 3: The Anomalous File / EXE from Rare External Location alert triggered by C2 traffic
Figure 4: Darktrace showing further details about the downloaded malware
An immediate response
However, Darktrace Antigena kicks in as the machine defender, eliminating the incoming threat by blocking miner file downloads and activity for about a day. This offers the customer ample time to react to this anomalous activity and halts the malware’s spread to other devices. Intervening with surgical precision, Antigena stops the malicious activity while allowing normal business processes to continue.
Figure 5: Chronological sequence (bottom to top) of alerts and Antigena actions on the vulnerable device
Lessons for the future
The exploitation of Citrix ADC’s vulnerability has understandably caused concern across the security community. Based upon the cumulation and nature of alerts triggered, the malware aims to mine cryptocurrency like so many other campaigns these days.
On the other hand, and perhaps more importantly here, this recently discovered vulnerability strengthens the case for Autonomous Response and its proven ability to prevent novel attacks.
At Darktrace we are often asked how we detect zero-day exploits. Every stage in the attack lifecycle – from the execution of Pastebin-sourced commands to performing internal reconnaissance and mining crypto with impunity – involved behavior that in some way deviated from the Enterprise Immune System’s learned ‘pattern of life’. Antigena neutralized these attacks without relying on pre-defined blacklists, and no new detections were created. By leveraging Cyber AI, the Bitcoin malware using the Citrix vulnerabilities was instantly contained – before any damage could be done to the customer.
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Global Field CISO
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Survey findings: AI Cyber Threats are a Reality, the People are Acting Now
Artificial intelligence is changing the cybersecurity field as fast as any other, both on the offensive and defensive side. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes, understanding, and priorities when it comes to AI cybersecurity in 2025. Our full report, unearthing some telling trends, is out now.
Nearly 74% of participants say AI-powered threats are a major challenge for their organization and 90% expect these threats to have a significant impact over the next one to two years, a slight increase from last year. These statistics highlight that AI is not just an emerging risk but a present and evolving one.
As attackers harness AI to automate and scale their operations, security teams must adapt just as quickly. Organizations that fail to prioritize AI-specific security measures risk falling behind, making proactive defense strategies more critical than ever.
Some of the most pressing AI-driven cyber threats include:
AI-powered social engineering: Attackers are leveraging AI to craft highly personalized and convincing phishing emails, making them harder to detect and more likely to bypass traditional defenses.
More advanced attacks at speed and scale: AI lowers the barrier for less skilled threat actors, allowing them to launch sophisticated attacks with minimal effort.
Attacks targeting AI systems: Cybercriminals are increasingly going after AI itself, compromising machine learning models, tampering with training data, and exploiting vulnerabilities in AI-driven applications and APIs.
Safe and secure use of AI
AI is having an effect on the cyber-threat landscape, but it also is starting to impact every aspect of a business – from marketing to HR to operations. The accessibility of AI tools for employees improves workflows, but also poses risks like data privacy violations, shadow AI, and violation of industry regulations.
How are security practitioners accommodating for this uptick in AI use across business?
Among survey participants 45% of security practitioners say they had already established a policy on the safe and secure use of AI and around 50% are in discussions to do so.
While almost all participants acknowledge that this is a topic that needs to be addressed, the gap between discussion and execution could underscore a need for greater insight, stronger leadership commitment, and adaptable security frameworks to keep pace with AI advancements in the workplace. The most popular actions taken are:
Implemented security controls to prevent unwanted exposure of corporate data when using AI technology (67%)
Implemented security controls to protect against other threats/risks associated with using AI technology (62%)
This year specifically, we see further action being taken with the implementation of security controls, training, and oversight.
For a more detailed breakdown that includes results based on industry and organizational size, download the full report here.
AI threats are rising, but security teams still face major challenges
78% of CISOs say AI-powered cyber-threats are already having a significant impact on their organization, a 5% increase from last year.
While cyber professionals feel more prepared for AI powered threats than they did 12 months ago, 45% still say their organization is not adequately prepared—down from 60% last year.
Despite this optimism, key challenges remain, including:
A shortage of personnel to manage tools and alerts
Gaps in knowledge and skills related to AI-driven countermeasures
Confidence in traditional security tools vs. new AI based tools
This year, 73% of survey participants expressed confidence in their security team’s proficiency in using AI within their tool stack, marking an increase from the previous year.
However, only 50% of participants have confidence in traditional cybersecurity tools to detect and block AI-powered threats. In contrast, 75% of participants are confident in AI-powered security solutions for detecting and blocking such threats and attacks.
As leading organizations continue to implement and optimize their use of AI, they are incorporating it into an increasing number of workflows. This growing familiarity with AI is likely to boost the confidence levels of practitioners even further.
The data indicates a clear trend towards greater reliance on AI-powered security solutions over traditional tools. As organizations become more adept at integrating AI into their operations, their confidence in these advanced technologies grows.
This shift underscores the importance of staying current with AI advancements and ensuring that security teams are well-trained in utilizing these tools effectively. The increasing confidence in AI-driven solutions reflects their potential to enhance cybersecurity measures and better protect against sophisticated threats.
The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.
Darktrace's Early Detection of the Latest Ivanti Exploits
As reported in Darktrace’s 2024 Annual Threat Report, the exploitation of Common Vulnerabilities and Exposures (CVEs) in edge infrastructure has consistently been a significant concern across the threat landscape, with internet-facing assets remaining highly attractive to various threat actors.
What are the latest vulnerabilities in Ivanti products?
In early January 2025, two new vulnerabilities were disclosed in Ivanti CS and PS, as well as their Zero Trust Access (ZTA) gateway products.
CVE-2025-0282: A stack-based buffer overflow vulnerability. Successful exploitation could lead to unauthenticated remote code execution, allowing attackers to execute arbitrary code on the affected system [1]
CVE-2025-0283: When combined with CVE-2025-0282, this vulnerability could allow a local authenticated attacker to escalate privileges, gaining higher-level access on the affected system [1]
Ivanti also released a statement noting they are currently not aware of any exploitation of CVE-2025-0283 at the time of disclosure [1].
Darktrace coverage of Ivanti
The Darktrace Threat Research team investigated the new Ivanti vulnerabilities across their customer base and discovered suspicious activity on two customer networks. Indicators of Compromise (IoCs) potentially indicative of successful exploitation of CVE-2025-0282 were identified as early as December 2024, 11 days before they had been publicly disclosed by Ivanti.
Case 1: December 2024
Authentication with a Privileged Credential
Darktrace initially detected suspicious activity connected with the exploitation of CVE-2025-0282 on December 29, 2024, when a customer device was observed logging into the network via SMB using the credential “svc_negbackups”, before authenticating with the credential “svc_negba” via RDP.
This likely represented a threat actor attempting to identify vulnerabilities within the system or application and escalate their privileges from a basic user account to a more privileged one. Darktrace / NETWORK recognized that the credential “svc_negbackups” was new for this device and therefore deemed it suspicious.
Figure 1: Darktrace / NETWORK’s detection of the unusual use of a new credential.
Likely Malicious File Download
Shortly after authentication with the privileged credential, Darktrace observed the device performing an SMB write to the C$ share, where a likely malicious executable file, ‘DeElevate64.exe’ was detected. While this is a legitimate Windows file, it can be abused by malicious actors for Dynamic-Link Library (DLL) sideloading, where malicious files are transferred onto other devices before executing malware. There have been external reports indicating that threat actors have utilized this technique when exploiting the Ivanti vulnerabilities [2].
Figure 2: Darktrace’s detection the SMB write of the likely malicious file ‘DeElevate64.exe’ on December 29, 2024.
Shortly after, a high volume of SMB login failures using the credential “svc_counteract-ext” was observed, suggesting potential brute forcing activity. The suspicious nature of this activity triggered an Enhanced Monitoring model alert that was escalated to Darktrace’s Security Operations Center (SOC) for further investigation and prompt notification, as the customer was subscribed to the Security Operations Support service. Enhanced Monitoring are high-fidelity models detect activities that are more likely to be indicative of compromise
Suspicious Scanning and Internal Reconnaissance
Darktrace then went on to observe the device carrying out network scanning activity as well as anomalous ITaskScheduler activity. Threat actors can exploit the task scheduler to facilitate the initial or recurring execution of malicious code by a trusted system process, often with elevated permissions. The same device was also seen carrying out uncommon WMI activity.
Figure 3: Darktrace’s detection of a suspicious network scan from the compromised device.
Figure 4: Further information on the suspicious scanning activity retrieved by Cyber AI Analyst, including total number of connections and ports scanned.
Figure 5: Darktrace’s detection of a significant spike in WMI activity represented by DCE_RPC protocol request increases at the time, with little to no activity observed one week either side.
Case 2: January 2025
Suspicious File Downloads
On January 13, 2025, Darktrace began to observe activity related to the exploitation of CVE-2025-0282 on the network of another customer, with one in particular device attempting to download likely malicious files.
Firstly, Darktrace observed the device making a GET request for the file “DeElevator64.dll” hosted on the IP 104.238.130[.]185. The device proceeded to download another file, this time “‘DeElevate64.exe”. from the same IP. This was followed by the download of “DeElevator64.dll”, similar to the case observed in December 2024. External reporting indicates that this DLL has been used by actors exploiting CVE-2025-0282 to sideload backdoor into infected systems [2]
Figure 6: Darktrace’s detection of the download of the suspicious file “DeElevator64.dll” on January 13, 2025.
Suspicious Internal Activity
Just like the previous case, on January 15, the same device was observed making numerous internal connections consistent with network scanning activity, as well as DCE-RPC requests.
Just a few minutes later, Darktrace again detected the use of a new administrative credential, observing the following details:
The hostname observed by Darktrace, “DESKTOP-1JIMIV3,” has also been identified by other external vendors and was associated with a remote computer name seen accessing compromised accounts [2].
Darktrace also observed the device performing an SMB write of an additional file, “to.bat,” which may have represented another malicious file loaded from the DLL files that the device had downloaded earlier. It is possible this represented the threat actor attempting to deploy a remote scheduled task.
Figure 7: Darktrace’s detection of SMB Write of the suspicious file “to.bat”.
Further investigation revealed that the device was likely a Veeam server, with its MAC address indicating it was a VMware device. It also appeared that the Veeam server was capturing activities referenced from the hostname DESKTOP-1JIMIV3. This may be analogous to the remote computer name reported by external researchers as accessing accounts [2]. However, this activity might also suggest that while the same threat actor and tools could be involved, they may be targeting a different vulnerability in this instance.
Autonomous Response
In this case, the customer had Darktrace’s Autonomous Response capability enabled on their network. As a result, Darktrace was able to contain the compromise and shut down any ongoing suspicious connectivity by blocking internal connections and enforcing a “pattern of life” on the affected device. This action allows a device to make its usual connections while blocking any that deviate from expected behavior. These mitigative actions by Darktrace ensured that the compromise was promptly halted, preventing any further damage to the customer’s environment.
If the previous blog in January 2024 was a stark reminder of the threat posed by malicious actors exploiting Internet-facing assets, the recent activities surrounding CVE-2025-0282 and CVE-2025-0283 emphasize this even further.
Based on the telemetry available to Darktrace, a wide range of malicious activities were identified, including the malicious use of administrative credentials, the download of suspicious files, and network scanning in the cases investigated .
These activities included the download of suspicious files such as “DeElevate64.exe” and “DeElevator64.dll” potentially used by attackers to sideload backdoors into infected systems. The suspicious hostname DESKTOP-1JIMIV3 was also observed and appears to be associated with a remote computer name seen accessing compromised accounts. These activities are far from exhaustive, and many more will undoubtedly be uncovered as threat actors evolve.
Fortunately, Darktrace was able to swiftly detect and respond to suspicious network activity linked to the latest Ivanti vulnerabilities, sometimes even before these vulnerabilities were publicly disclosed.
Credit to: Nahisha Nobregas, Senior Cyber Analyst, Emma Foulger, Principle Cyber Analyst, Ryan Trail, Analyst Content Lead and the Darktrace Threat Research Team
