I devoted a bit of time over the weekend looking at honeypots for this vulnerability then decided that by the time I’d identified and blocked scanning IPs, it would probably be too late to actually block anything. If you run Citrix gateways, take a look at this webcast from SANS…:
Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in both its Application Delivery Controller and Unified Gateway (formerly known as Netscaler ADC and Netscaler Gateway) offerings. Up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.
Those admins who haven’t put mitigations in place by now will want to make sure they address their situation immediately, as infosec researchers have now publicly shared working exploit code for the remote takeover bug. The proof-of-concept code can be used to trivially achieve arbitrary code execution with no account credentials – hijack systems, in other words – via a directory traversal.
People’s honey pots are being actively attacked, so if you haven’t put in place the mitigations by now, and you have vulnerable systems facing the internet, you were probably hacked over the weekend by miscreants mass-scanning the ‘net for machines to compromise. A thread tracking technical aspects of the vulnerability is here.