Security: brace for impact

A very interesting week. That’s probably the best way to describe this third week in January. If this week is an omen for the whole year to come, then we better start bracing ourselves. Big trouble coming in terms of internet security (note: I really hate the word cyber security… I’m not Robocop and our world is not Star Wars, hence I will refer to internet or IT security.)

In the Netherlands we started the year with a major ransomware case. One of our universities got hit by Clop and though not confirmed - nor denied - it’s very likely that the university did not see any other option then paying the criminals responsible for encrypting the entire environment of the institution. Just one week after this event Travelex was the next victim, also because of an attack with ransomware.

Travelex is still down. The website on travelex.com only mentions that it ,,contained the virus and are working to restore our systems and resume normal operations as quickly as possible.”

Then we reached the date of January 14: drop dead date for Windows 7, Windows Server 2008 and 2008R2. It’s something that we have seen coming for years, yet a lot of companies still run environments with these operating systems. On the same date a number of serious vulnerabilities (CVE) in Microsoft products were issued, rated ‘high risk’ by e.g. our own National Cyber (yep… there it is) Security Center (NCSC). It concerned CVE 2020-0601 in Windows CryptoAPI and 0609, 0610 and 0612 in Windows RDP. Microsoft published patches to fix these vulnerabilities which already meant quite some work this week.

Just as we thought that this was enough, all hell broke loose when a CVE in Citrix ADC (Application Delivery Controller) and Netscaler was filed under number 2019-19781 – with exploits in the wild. The threat was so serious, that the NCSC advised all Dutch institutions and enterprises to shut down the Netscalers, especially since a hastily released patch did not work.

The code that revealed the CVE –as found by Mikhall Klyuchnikov – was published on Github (https://github.com/mpgn/CVE-2019-19781). Jaw dropping easy… Only two requests needed to execute the exploit. Impact: huge.

An article by fireeye.com (January 16th) was even more disturbing. They discovered a package under the name NOTROBIN. ,, Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.”

NOTROBIN. Funny name, isn’t it? Well, the author behind NOTROBIN pretends that he’s actually cleaning up malware and doing good, so to say. However: ,, FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027. NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.” – (Read the full article on https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html.)

Now, this is all bad enough, but what really surprised me is the fact that Citrix itself stated on their website that it would have a definitive patch on January the 27th. Ten days from now. So, what do we do in the meantime? Leave the appliances on and with that, taking immense risks on breaches? I would like to meet the security officer who wouldn’t have a problem with that.

Shut it down. Sounds easy, right? But here’s the problem: we have made IT so complex, that shutting down an application or a server is not easy at all. Next, we have invented solutions that try to make IT less complex – or at least make it look less complex. The ADC and Netscaler solution is a perfect example of just that. It combines a lot of functions: gateway, load balancing, proxy, reverse proxy, firewall. Per recommendation of Citrix: ,, NetScaler delivers scalable solutions that combine L4-7 load balancing, high-speed data compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to- use platform.”

Basically, it can do it all. And it’s all code.

Back in the old days of IT you would have a firewall, switches, a load balancer and a proxy server. Now we have one box with a lot of code taking care of all these functions.

The issue is that if something goes wrong, you’re losing all that functionality in one go. Your load balancing, your firewall, proxy… all down. Either your environment and your data gets compromised by taking the device out or the environment gets unavailable since without protection you would have no choice then also take these services offline. 

Complexity rules in today’s IT. Getting back to my remark on Windows 7 and Server 2008/2008R2. We saw it coming: we knew for years that on January 14, 2020 Microsoft would stop supporting these systems. No more updates from the date onward. Still, a lot of servers and end user devices run these old operating systems. Tough luck; you should have taken care of it a long time ago.

Way too easy. Off course: there are companies that simply accepted the risk, but I come across customers that do have valid reasons for postponing updates and upgrades over and over again. The most important reason is that they run critical applications that won’t run on newer operating systems or require very specific settings in the OS – settings that might not be available in new versions (in the same way). Is that a valid reason? Yes. I do understand anxiety for changing these applications from a business perspective. They still will have to work on a solution, fair enough.

Ah. The cloud!

That won’t take away the complexity. Even SaaS won’t do that. Also SaaS-solutions will require integration into your landscape, security settings, authentication and authorization, connectivity and routing. The one thing you needn’t worry about with SaaS is updates. True.

But since enterprises run a variety on solutions fitting their business needs, we are bound to have updates and upgrades on a frequent basis. With the ever increasing complexity of IT, these will be more and more security related. Indeed: brace yourselves. Much more to come.