Using AI to detect a bitcoin mining campaign leveraging Citrix Netscaler vulnerabilities

Max Heinemeyer, Director of Threat Hunting | Monday January 27, 2020

Over the last 14 days, Darktrace has detected at least 80 different customers all targeted by the same CVE-2019-19781 vulnerability — affecting the Citrix ADC (Citrix Application Delivery Controller) and Citrix Gateway solution for public cloud. Customers operating Darktrace Antigena in ‘active mode’ have all seen that this attack was neutralized within seconds.

According to the National Cyber Security Centre, the exploitation of this vulnerability allows an ‘unauthenticated attacker to perform arbitrary code execution’. While Citrix has released mitigation advice, patches are just being rolled out. This unfortunately left a critical window of time, during which the attackers could exploit the vulnerabilities. However, Darktrace’s immune system technology can effectively halt the attack and contain the damage.

This blog post outlines the attack lifecycle of a campaign exploiting the Citrix vulnerabilities to download crypto-mining malware. It is interesting to see how quick the cyber-criminals were to weaponize the Citrix exploits with crypto-mining payloads for generating profit. It shows that AI-powered Autonomous Response is pivotal in today’s fast-moving threat landscape, where patches might not be available or might take weeks to install safely.

Breaking down the attack lifecycle

The following description of the observed attack stages demonstrates how Darktrace Antigena’s independent and immediate action stops the attack in its tracks, provides visibility of the complete attack lifecycle, and significantly reduces security teams’ investigation time into this activity.

  1. Darktrace’s detection capabilities highlight the steps taken by exploited Citrix Netscaler devices executing shell commands.
  2. These devices begin by receiving HTTP POST requests to URIs that are vulnerable to directory traversal attacks, for example /vpn/…/vpns/cfg/smb.conf. This is visible in the below details provided by Darktrace.
  3. Figure 1: A screenshot of the requests on a particular device

  4. These POST requests are followed by high confidence alerts created by Darktrace – the attack behavior was very similar in different targeted organizations. The high-confidence alerts were equally similar, regardless of the target, as the attack behavior was the same.
  5. Code execution is triggered, leading to the download of shell scripts and other malware with the end-goal of running crypto-mining malware.

Some of the high-confidence alerts are:

  • Compromise / High Volume of Connections with Beacon Score – used to identify command and control traffic
  • Compliance / Pastebin – triggers during suspicious and unusual Pastebin activity
  • Compliance / Crypto Currency Mining Activity
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint – indicating unsuccessful command and control traffic attempts
  • Anomalous File / Script from Rare External – indicating the download of a script file from a location on the internet that is not commonly visited by the targeted organization (often this is the initial infection or a later-stage payload)

In one example, a gateway device was seen downloading a shell script from a rare external endpoint in Russia, with a /ci.sh URI.

Figure 2: Darktrace’s Threat Visualizer showing and endpoint with 100% rarity

Next, compromised devices have been observed downloading an executable file from Ukraine (http://217.12.221[.]12/netscalerd), containing an ELF:BitCoinMiner Malware, triggering the cryptocurrency mining and command and control beaconing alerts.

Figure 3: The Anomalous File / EXE from Rare External Location alert triggered by C2 traffic

Figure 4: Darktrace showing further details about the downloaded malware

An immediate response

However, Darktrace Antigena kicks in as the machine defender, eliminating the incoming threat by blocking miner file downloads and activity for about a day. This offers the customer ample time to react to this anomalous activity and halts the malware’s spread to other devices. Intervening with surgical precision, Antigena stops the malicious activity while allowing normal business processes to continue.

Figure 5: Chronological sequence (bottom to top) of alerts and Antigena actions on the vulnerable device

Lessons for the future

The exploitation of Citrix ADC’s vulnerability has understandably caused concern across the security community. Based upon the cumulation and nature of alerts triggered, the malware aims to mine cryptocurrency like so many other campaigns these days.

On the other hand, and perhaps more importantly here, this recently discovered vulnerability strengthens the case for Autonomous Response and its proven ability to prevent novel attacks.

At Darktrace we are often asked how we detect zero-day exploits. Every stage in the attack lifecycle – from the execution of Pastebin-sourced commands to performing internal reconnaissance and mining crypto with impunity – involved behavior that in some way deviated from the Enterprise Immune System’s learned ‘pattern of life’. Antigena neutralized these attacks without relying on pre-defined blacklists, and no new detections were created. By leveraging Cyber AI, the Bitcoin malware using the Citrix vulnerabilities was instantly contained – before any damage could be done to the customer.

Indicators of compromise

  • 185.178.45[.]221 (hosting malicious shell scripts)
  • 92.63.99[.]17 (mining pool)
  • 217.12.221[.]12 (hosting malware)

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.