Ragnorak and Eternal Blue Exploit CVE-2019-19781

Ragnorak, Eternal Blue and CVE-2019-19781

This report is about a ransomware campaign using Ragnorak that utilizes the heavily reported vulnerability CVE-2019-19781 to access and infect networks. The campaign also uses the well-known vulnerability referred to as Eternal Blue to infect internal hosts.

This is the second notable malware campaign to utilize the Citrix vulnerability (CVE-2019-19781) which should be concerning for IT staff. 

Contextual Information: 

• For more context, see the previously written threat intel report (TIR) regarding CVE-2019-19781. 
• For information about other threats utilizing CVE-2019-19781, see our previous threat intel report (TIR) on the NOTROBIN malware.

Tactics, Techniques, and Procedures 

Ragnorak has been utilized in other campaigns in the past. The method of entry for this campaign is a successful exploitation attempt of CVE-2019-19781 targeting Citrix Gateway products running the 12.x or 13.x software versions. Once the exploit is successful, it sends out a cURL request to a malicious host and downloads a shell script called ld[.]sh. The shell script checks whether python is installed and then creates a directory where it’ll host other malware. The shell script downloads two files using cURL: piz[.]Lan and de[.]py. The Python script de[.]py will stage future malicious actions and initiate the enumeration/further exploitation process. 

There are a few notable files that will get downloaded inside a zip archive after de[.]py starts: 

• X86.dll – targets 32-bit systems and acts as a downloader. 
• X64.dll -- targets 64-bit systems and acts as a downloader. 
• Scan.py – Python-based socket scanner. 
• Two exploit replay files (one targeting systems running Windows XP). These replay files are built to exploit the Eternal Blue vulnerability (CVE-2017-0144). 

The Python script unzips the important files listed above and scans (using scan.py) the network for both vulnerable Windows Vista and Windows XP machines. Once a vulnerable system is identified, the replay files reach out to the host and run a certutil command using CMD or PowerShell to download a “patch” file which gets saved as an executable. Another certutil command is run to delete the URL cache removing the evidence. The executable gets activated starting the encryption on the targeted host and displays a ransom note. 

Impact 

A successful attempt could result in the compromise of your outward-facing Citrix infrastructure resulting in a bad actor being able to enumerate internal resources. There's a strong possibility that hosts vulnerable to Eternal Blue (CVE-2017-0144) will be encrypted by ransomware. This could lead to data loss if proper backups aren’t available. 

Recommendation for Protecting Against Ragnorak

It’s highly encouraged that you look for the following IOCs in your environment: 

Detection IOCs: 

• Use of certutil.exe downloading content from the IP address of 45.120.53[.]214. 
• Using Curl to download a shell script from the hosts 45.120.53[.]214 or 198.44.227[.]126. 
• Eternal Blue is actively being used in the environment. 
• Meterpreter sessions when a pen test isn’t occurring. 
• Communication going outbound to the IP address 45.120.53[.]214 over TCP port 1234. 
• Communication with the IP address of 198.44.227[.]126. 

Use the FireEye blog post linked below to look for IOCs you can add to your blocklist.

It’s highly recommended that you do the following:

• Update your Citrix edge devices using one of the patch links below. 
• Monitor for network connections using TCP ports 81 and 1234 especially, if they’re reaching out to external resources. 
• Utilize PowerShell and CMD logging to ensure that records are kept of all commands being executed in your environment.
• Consider looking into piping those logs into your SIEM of choice. 
• Implement preemptive blocks using the IOC list found in the FireEye blog post linked below.

There is a compromise scanner that may help detect any successful penetration of your Citrix infrastructure so, consider using the scanner which is linked below (see GitHub link). Make sure you’ve run the MS17-010 patch to ensure you aren’t vulnerable to the Eternal Blue exploit (see Microsoft patch linked below). 

Sources 

IBM X-Force Exchange: 

• https://exchange.xforce.ibmcloud.com/collection/Attempted-Ransomware-Infection-via-Citrix-Vulnerability-3a9c5a9cdc3d8249350cf0da2eaa8ee8 

Supporting Documentation: 

• FireEye Blog Post: https://www.fireeye.com/blog/threat-research/2020/01/nice-try-501-ransomware-not-implemented.html 
• CVE-2019-19781 Compromise Scanner: https://github.com/citrix/ioc-scanner-CVE-2019-19781 
• Microsoft Patch for Eternal Blue: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 
• Citrix Links: 
  • Citrix Patches: 
    • SD-WAN: https://www.citrix.com/downloads/citrix-sd-wan/ 
    • ADC: https://www.citrix.com/downloads/citrix-adc/ 
    • Citrix Gateway: https://www.citrix.com/downloads/citrix-gateway/ 
  • Original Citrix Post: https://support.citrix.com/article/CTX267027 
  • Mitigation Commands: https://support.citrix.com/article/CTX267679

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.