People use a VPN service to make themselves invulnerable to attack. Oftentimes, people who use VPNs are people for whom data disasters could have large scale consequences. That’s why businesses and people who handle sensitive information for customers or clients often opt for commercial VPN service – one hack can destroy their entire livelihood.
Users who placed their trust in Citrix were largely disappointed when a highly problematic vulnerability was discovered and publicly disclosed in January of 2020. The affected VPN servers were used for businesses, government institutions, and the United States Army. The impacted businesses and institutions have not yet disclosed how (if at all) they were negatively affected by the exploit, and Citrix is attempting to put a band-aid on the problem.
The discovered vulnerability was within Citrix’s Application Delivery Controller and its related gateway VPN servers, numbering in the tens of thousands. The flaw was embarrassingly glaring, and easy enough for hackers to jump on immediately. It allowed anyone to remotely access and execute code on these gateways without the need for login credentials by using a Web request, rendering Citrix’s VPN a virtual playground for malicious strangers. This vulnerability is similar to Pulse Secure VPN’s previous discovered vulnerability that lead to targeted ransomware attacks.
Essentially, a hacker can remotely use two HTTP requests to trick the Apache server into directing them to the “/vpns/” directory without the need for a login. The first failed attempt returns a template that an attacker can inject a command into.
The Attacks that Transpired
The attacks impacted private corporations, hospitals, numerous government and military offices, and just about every kind of establishment with an extreme need for privacy to contain sensitive information. The servers that are being attacked have seem lower levels of impact. One attacker built a virtual fence to keep other attackers out, removed their malware, and set themselves up an exclusive backdoor. Other attacks involve entry level malware like cryptocurrency mining software designed to run off of the compromised server’s resources.
When a similar situation occurred with Pulse Secure’s VPNs last year, ransomware attackers and data thieves had a field day. There’s no way to tell what’s currently going on in the shadows, since more than 25,000 servers are still affected.
Patching the VPN
Following the revelation of the breach, Citrix released information on how their clients can reduce their risk of being attacked or exploited. The company has frantically scrambled to release temporary patches, with more permanent solution being made available around January 20th. Research by Bad Packets shows that tens of thousands of servers are still yet to be patched, leaving them as lingering and open easy targets.
Even though solution has been released, it may be too late for some companies and institutions. Any data intercepted or stolen by hackers cannot be retrieved or undone, leaving Citrix’s clients to pick up the pieces and put together a recovery strategy. Since there was a window of several days between the announcement of the discovery and the temporary patch, competent hackers will have had time to catch wind of the situation and make any moves they saw fit. We’re still unaware of the extent of the aftermath.
Use a Reliable VPN
If you’ve lost trust in Citrix, TorGuard VPN is still here. We offer both personal and business VPN solutions. Our team ruthlessly tests our systems and provides support every day, remaining available around the clock to prevent flaws and