Catalin Cimpanu, writing for ZDNet: Attacks on Citrix appliances have intensified this week, and multiple threat actors have now joined in and are launching attacks in the hopes of compromising a high-value target, such as a corporate network, government server, or public institution. In a report published today, FireEye says that among all the attack noise it’s been keeping an eye on for the past week, it spotted one attacker that stuck out like a sore thumb. This particular threat actor was attacking Citrix servers from behind a Tor node, and deploying a new payload the FireEye team named NotRobin. FireEye says NotRobin had a dual purpose.
First, it served as a backdoor into the breached Citrix appliance. Second, it worked similar to an antivirus by removing other malware found on the device and preventing other attackers from dropping new payloads on the vulnerable Citrix host. It is unclear if the NotRobin attacker is a good guy or a bad guy, as there was no additional malware deployed on the compromised Citrix systems beyond the NotRobin payload. However, FireEye experts are leaning toward the bad guy classification. In their report, they say they believe this actor may be “quietly collecting access to NetScaler devices for a subsequent campaign.”
of this story at Slashdot.
Source:: Slashdot