The rapid move to the cloud and remote work prompted by the COVID-19 pandemic are creating dynamic work environments that promise to drive new levels of productivity and innovation. But they have also opened the door to a host of new security and reliability concerns and sparked a significant increase in cyberattacks.
The Federal Bureau of Investigation has reported a 400% increase in the number of cyberattack complaints since the pandemic began and more workers have had to access corporate resources remotely.
To help companies defend themselves, Citrix is introducing two new workspace security solutions designed to secure access and protect applications wherever work needs to get done.
“Organizations are struggling with solutions designed for defending static perimeters in today’s dynamic enterprise environments, and there is a critical need for a new approach,” said John Grady, cybersecurity analyst at independent research firm ESG.
“Organizations expect improved security, performance, and efficiency through solutions that provide centralized management and distributed enforcement across the entire environment.”
A unified approach
Citrix delivers on this through an application-centric approach that starts with the digital workspace. In a single solution, Citrix combines a full cloud-delivered security stack integrated with identity-aware Zero Trust Network Access (ZTNA) and an application-aware SD-WAN that allows companies to deliver cloud and Internet-based applications securely with high performance and reliability across work environments.
With the two new secure access offerings announced today, companies can accelerate their journey to a Secure Access Services Edge (SASE) and future proof their security investments:
- Citrix Secure Internet Access – A comprehensive, global cloud security service that addresses the security requirements of modern enterprises. This includes secure web gateway, next-generation firewall, cloud access security broker (CASB), DLP, sandboxing and AI-driven attack detection.
- Citrix Secure Workspace Access – A VPN-less solution that delivers zero trust access to corporate web and SaaS applications accessed from managed and BYO devices.
Complemented by Citrix SD-WAN, the solutions – which can be purchased and used separately or together – also plug and play with third-party SD-WAN infrastructure, enabling companies to maximize their existing investments.
“Modern enterprises require an intelligent approach to workspace security that protects employees, following the Zero Trust model, without getting in the way of their experience,” said Fermin Serna, Chief Information Security Office, Citrix. “And that is what Citrix digital workspace security solutions are uniquely designed to deliver.”
A recent survey of IT decision makers conducted by Pulse and Citrix, confirms this notion. Of 100 executives and managers polled in North America, Europe, the Middle East, Africa and the Asia Pacific region, polled, 97 percent cited employee experience as a key influence on their security strategy. And 75 percent said they are looking to improve the user experience through their design and execution.
In embracing Citrix’s approach to security, companies can:
- Enhance security and productivity through identity-aware, zero trust access to all cloud and internet-based applications and virtual desktops.
- Leverage machine learning and artificial intelligence to provide real-time insights into user behavior and automate the process of preventing cybersecurity breaches – all while maintaining a reliable digital workspace experience for employees.
- Identify specific security incidents, atypical activity and policy violations using built-in forensics and detailed search into all traffic and user behavior.
- Protect against all threats, everywhere leveraging more than 100 global points-of-presence, powered by over 10 threat intelligence engines.
- Provide full coverage for all popular Cloud and SaaS properties, devices and operating systems, leaving no gap for access security coverage.
- Deliver consistently fast application performance regardless of network availability with built-in SD-WAN, application optimization and peering with thousands of SaaS services.
And many are on the path to doing so.
“We are adopting more of the public cloud (IaaS, SaaS and hosted Apps), and we need resilient and secure channels that allow us to access them in an innovative and integrated way and ensure a consistent user experience,” said Sriram Sitaraman, Chief Information Officer, Synopsys.
“With Citrix Workspace, we have started to move beyond traditional VPN solutions and now provide our employees and partners with zero trust and secure access to their infrastructure on corporate managed or BYO devices. And we can do it all within a single pane of glass, while maintaining a superior employee experience, which is very appealing.”
Citrix builds the secure, unified digital workspace technology that helps organizations deliver a consistent, secure and reliable experience that empowers people to do their best work, wherever work needs to get done.
Work today is happening everywhere on everything from corporate issued laptops and mobile devices to personal tablets and even smartwatches. While this new-found freedom has given a major boost to productivity and innovation, it has also raised a new set of security concerns that require a more intelligent and contextual approach to address.
To help drive it, Citrix announced that it is expanding the Citrix Ready Workspace Security Program to include zero trust solutions from trusted and verified partners that will allow companies to simplify the selection of vendors and leverage their existing investments to design a modern security framework that delivers zero trust outcomes.
“In a world where the security perimeter is no longer defined by a firewall, but the Internet, companies can’t rely on traditional, VPN-based strategies that provide access based on username and passwords,” said Sridhar Mullapudi, Senior Vice President, Product Management, Citrix.
“To effectively protect apps and devices, they must shift to a zero trust model that uses contextual awareness to adaptively grant access based on user behaviors and access patterns.”
And according to a recent survey conducted by Pulse and Citrix, a majority of IT decision makers plan to do so. Of 100 executives and managers polled in North America, Europe, the Middle East, Africa and the Asia Pacific region, 74 percent said they are looking at adopting a holistic zero trust strategy spanning beyond remote access in the next 12 months.
Enabling flexibility and choice
The Citrix Ready Workspace Security Program provides a choice of leading security vendors that complement Citrix solutions, allowing people to securely work anytime, from anywhere, while simplifying how IT manages the environment, and includes offerings for:
- Identity and access management
- Monitoring and analytics
- Device and endpoint security
- Data security
- Network security
Extending context and protection
In expanding the program to include solutions that integrate with these offerings and have zero trust principles built-in, Citrix is providing extended context and an additional layer of security that make an enterprise more secure.
Partnering for success
When it comes to zero trust, there is no one-size-fits-all solution. With the Citrix Ready Workspace Security Program, companies can effectively evaluate their current security strategies and leverage existing investments to quickly design and implement a zero trust framework that delivers results.
“We’re engaging with like-minded partners who are willing to share data and insights that allow us to deliver more comprehensive and secure solutions to our customers,” Mullapudi said. Among the first partners whose solutions have been verified as Citrix Ready:
- Google Cloud
“This isn’t just about hooking into Citrix Workspace™, but products that actually communicate with each other and share essential, critical information about security that companies can use to enhance their security without getting in the way of the user experience,” Mullapudi said.
Products like BeyondCorp Remote Access, a cloud-based solution offered by Google Cloud that helps make access to internal applications easier and more secure.
“It’s become clear that remote work will be a defining characteristic of the new normal, and modernizing security by fully embracing zero trust models is an imperative, not an option,” said Sunil Potti, VP and GM Google Cloud Security.
“Together Google Cloud and Citrix have an opportunity to usher in a better, safer normal with secure workspaces built upon a foundation of the global Google Cloud network and our layered, joint security capabilities.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.
The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and “supply chain” attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm.
Charging documents say the seven men are part of a hacking group known variously as “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider.” Once inside of a target organization, the hackers stole source code, software code signing certificates, customer account data and other information they could use or resell.
APT41’s activities span from the mid-2000s to the present day. Earlier this year, for example, the group was tied to a particularly aggressive malware campaign that exploited recent vulnerabilities in widely-used networking products, including flaws in Cisco and D-Link routers, as well as Citrix and Pulse VPN appliances. Security firm FireEye dubbed that hacking blitz “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”
The government alleges the group monetized its illicit access by deploying ransomware and “cryptojacking” tools (using compromised systems to mine cryptocurrencies like Bitcoin). In addition, the gang targeted video game companies and their customers in a bid to steal digital items of value that could be resold, such as points, powers and other items that could be used to enhance the game-playing experience.
APT41 was known to hide its malware inside fake resumes that were sent to targets. It also deployed more complex supply chain attacks, in which they would hack a software company and modify the code with malware.
“The victim software firm — unaware of the changes to its product, would subsequently distribute the modified software to its third-party customers, who were thereby defrauded into installing malicious software code on their own computers,” the indictments explain.
While the various charging documents released in this case do not mention it per se, it is clear that members of this group also favored another form of supply chain attacks — hiding their malware inside commercial tools they created and advertised as legitimate security software and PC utilities.
One of the men indicted as part of APT41 — now 35-year-old Tan DaiLin — was the subject of a 2012 KrebsOnSecurity story that sought to shed light on a Chinese antivirus product marketed as Anvisoft. At the time, the product had been “whitelisted” or marked as safe by competing, more established antivirus vendors, although the company seemed unresponsive to user complaints and to questions about its leadership and origins.
Anvisoft claimed to be based in California and Canada, but a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu in the Sichuan Province of China.
A review of Anvisoft’s website registration records showed the company’s domain originally was created by Tan DaiLin, an infamous Chinese hacker who went by the aliases “Wicked Rose” and “Withered Rose.” At the time of story, DaiLin was 28 years old.
That story cited a 2007 report (PDF) from iDefense, which detailed DaiLin’s role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker). According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.
“Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the iDefense report stated.
When I first scanned Anvisoft at Virustotal.com back in 2012, none of the antivirus products detected it as suspicious or malicious. But in the days that followed, several antivirus products began flagging it for bundling at least two trojan horse programs designed to steal passwords from various online gaming platforms.
Security analysts and U.S. prosecutors say APT41 operated out of a Chinese enterprise called Chengdu 404 that purported to be a network technology company but which served a legal front for the hacking group’s illegal activities, and that Chengdu 404 used its global network of compromised systems as a kind of dragnet for information that might be useful to the Chinese Communist Party.
“CHENGDU 404 developed a ‘big data’ product named ‘SonarX,’ which was described…as an ‘Information Risk Assessment System,’” the government’s indictment reads. “SonarX served as an easily searchable repository for social media data that previously had been obtained by CHENGDU 404.”
The group allegedly used SonarX to search for individuals linked to various Hong Kong democracy and independence movements, and snoop on a U.S.-backed media outlet that ran stories examining the Chinese government’s treatment of Uyghur people living in its Xinjian region.
As noted by TechCrunch, after the indictments were filed prosecutors said they obtained warrants to seize websites, domains and servers associated with the group’s operations, effectively shutting them down and hindering their operations.
“The alleged hackers are still believed to be in China, but the allegations serve as a ‘name and shame’ effort employed by the Justice Department in recent years against state-backed cyber attackers,” wrote TechCrunch’s Zack Whittaker.
August 2020 Patch Tuesday was expectedly observed by Microsoft and Adobe, but many other software firms decided to push out security updates as well. Apple released iCloud for Windows updates and Google pushed out fixes to Chrome. They were followed by Intel, SAP and Citrix. Intel’s updates It’s not unusual for Intel to take advantage of a Patch Tuesday. This time they released 18 advisories. Among the fixed flaws are: DoS, Information Disclosure and EoP … More
The post Intel, SAP, and Citrix release critical security updates appeared first on Help Net Security.
Citrix Web App and API Protection is a new, cloud-delivered service that provides comprehensive security for applications and APIs in multi-cloud environments.
“The flexible models for work and multi-cloud application deployment that companies must now support have greatly expanded the attack surface that IT needs to defend,” said Mihir Maniar, Vice President of Product Management, Networking, Citrix. “Cloud-based security solutions are a fast, easy and cost-effective way to do this, and with the enhancements to our web application firewall offerings, we can simplify and speed the process.”
With Citrix Web App and API Protection, IT organizations of all sizes can provide holistic protection from cyber threats and enable a consistent security posture across multi-cloud environments. Built on Citrix Web App Firewall™ and enhanced with volumetric DDoS protection and expanded machine learning capabilities, the service allows IT to:
- Define application and API-specific security to safeguard against OWASP top 10 and zero-day attacks.
- Leverage one of the world’s largest scrubbing networks to protect applications from large DDoS attacks.
- Reduce security configuration errors and simplify visibility and governance across multi-cloud environments.
- Easily configure rules and policies and adjust them as application security requirements change.
- Secure applications fast wherever they are deployed without added infrastructure or operational complexity.
- Scale in minutes with simple license upgrades.
“Applications and APIs are among the most valuable—and vulnerable—assets a company has and protecting them has never been more challenging,” Maniar said. “Citrix is committed to providing our customers with next-generation tools to protect against both known and unknown application attacks along with intelligence to allows for faster remediation.”
Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk.
At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited.
On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts).
About the vulnerabilities
The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws.
The security advisory Citrix published noted them and laid out the pre-conditions needed for their exploitation, but does not contain too many details.
“We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Citrix CISO Fermin Serna explained, and made sure to note that the patches provided fully resolve all issues.
He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation.
Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January.
About the recent exploitation attempts
Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet.
“One interesting issue is that most of the scans originate from a single ISP so far, suggesting that this may be just one group at this point trying to enumerate vulnerable systems,” he told Help Net Security.
“Vulnerable systems leak information about the system if hit with these exploits. So these are not as dangerous as the code execution issues we saw with Citrix over new year, or the F5 issues. But enumerating systems, and using the leaked information may lead to additional more targeted follow on attacks later.”
One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication.
“Some of the other vulnerabilities patched with this update are ‘interesting’, but more tricky to exploit,” he added.
As governments around the world ease their lockdowns, businesses must decide how, when and if to return their employees to offices. And Citrix Systems is leveraging its decades of experience in delivering flexible work solutions to help organizations of all sizes across industries do it.
The company announced the availability of a new back-to-office solution built on Citrix Workspace that its customers and partners can use to safely transition employees back to offices, enhance their experience and wellbeing and enable them to efficiently adapt to the new world of work.
“Most companies are realizing that back to the office will not mean back to normal,” said Tim Minahan, Executive Vice President, Business Strategy, Citrix.
“Citrix has been powering flexible and secure work models for more than 400,000 global organizations within our digital workspace for more than three decades, and we are uniquely positioned to help them adapt and get back to business while putting the safety and wellbeing of their employees first.”
Delivering the next normal
Historically, the office was the place where collaboration and innovation happened. Outside meeting spaces, colleagues held casual conversations in hallways, cafeterias and gyms. But protocols designed to slow the spread of the coronavirus have changed this.
Physical office spaces must now be configured to allow for social distancing. Employee schedules have to be revised to reduce the number of people in buildings at one time. Employees are required to be screened before they enter the premises. And visitors may not be allowed.
“This is an unprecedented time,” said Jeffrey Dean, Director, Global Security and Risk Services, Citrix. “There is no blueprint for safely returning employees to the office, but with the right technology and insights, companies can create a path to drive their business forward.”
An intelligent solution designed with wellness in mind
With Citrix Workspace, companies can provide a consistent work experience that allows employees to perform at their best while addressing safety and health in the office environment.
Leveraging new back-to-office microapp capabilities within the workspace, organizations can manage vital tasks associated with re-opening offices across HR, legal, facilities and IT, such as:
- Conducting employee readiness surveys
- Identifying and managing the moments that matter most to employees upon returning to the workplace, such as where they will sit or how team and customer meetings will be handled
- Executing safety protocols
- Performing health screenings and self-certifications
- Managing occupancy to ensure social distancing
- Location mapping and contact tracing
- Designing communications strategies
When the COVID-19 pandemic hit, City National Bank of Florida (CNB), like many financial institutions, scaled back physical operations at banking center locations to keep its employees, clients and the communities it serves safe. Throughout the pandemic CNB has served clients by appointment in banking center lobbies and via drive throughs.
“As we prepare to fully reopen these locations, it is critical that people feel safe,” said Ariel Carrion, Senior Vice President, Chief Technology Officer, City National Bank of Florida.
“The new microapp capabilities within Citrix Workspace will help us manage safety protocols on an ongoing basis and instill the confidence and trust of our employees and clients.”
Charting a new course
COVID 19 has set businesses sailing in unchartered waters. “As organizations focus on sustainable business practices, teams need to work, collaborate and lead in a highly distributed environment while increasing employee engagement,” said Shannon Kalvar, Research Manager, IT Service Management and Client Virtualization for IDC.
“The most reliable path forward will be engaging in the difficult discussions to find a path forward that both bolsters preparedness and accepts uncertainty to create a different relationship with partners, employees, and clients alike.”
To this end, Citrix has also launched a back-to-office resource center where companies can access technology demonstrations alongside templates and best practice processes, including those used by Citrix.
“People can’t do their best work if they don’t feel safe, and competitive advantage will go to organizations that recognize this and leverage technology to create environments in which employees are protected and can thrive,” Dean said.
“We at Citrix have worked closely with medical experts, public safety and community officials to build a toolkit and guidelines to bring our own employees back to the office safely, and we are happy to share these with our customers and the market at large to help them do the same.”
Citrix builds the secure, digital workspace technology that helps businesses unlock human potential, improve employee experience and drive adaptable models of work.
When remote work moved from something a few people did on occasion to a mandate for nearly all employees, companies around the world scrambled to scale up their resources and enable it. Many fell short, leaving employees to use personal devices to access the systems and information they need to do their jobs. And that’s created a gaping security hole.
To help plug it, Citrix Systems has launched App Protection, which enables companies to protect apps and data on unmanaged endpoints and ensure their corporate systems and information remain safe.
“Endpoints are the penultimate control point for the implementation of device, application, and data security. The rapid acceleration of remote work sparked by the COVID-19 pandemic and proliferation of unmanaged personal devices being used for business has created a special challenge, as decentralization is not the friend of security,” said Frank Dickson, Program Vice President, Security & Trust, IDC. “And specialized and sophisticated tools are required to overcome it.”
Dion Hinchcliffe, VP and Principal Analyst at Constellation Research – and Executive Fellow, Tuck School of Business, Center for Digital Strategies, agrees. “The recent mass global shift to remote work has in part been enabled by the ability to use available devices at hand, including unmanaged ones. Yet this has opened up a vast new cybersecurity attack surface area and put even more burdens on workers struggling to adapt to their new environment,” he says.
“App Protection provides an invaluable safety net so both workers and employers can rest assured that remote work devices are not leaking critical information, allowing everyone to focus on what matters most: a safe, secure, and productive digital workplace.”
Business is now personal
As employees around the world adjust to the new normal of working from home, many are using whichever endpoint gives them the quickest access to the resources they need to get work done. And this often includes personal devices such as laptops, tablets and phones.
“Key logging and screen capture malware are common on these endpoints and provide bad actors with easy entry to corporate networks and sensitive information,” said Eric Kenney, Senior Product Marketing Manager, Citrix.
When present on a device, key logging malware captures each key stroke entered by a user, including user names and passwords. Screen-capture malware periodically takes a snapshot of the user’s screen, saving it to a hidden folder on the device or directly uploading it to the attacker’s server where the information can be exploited. App Protection is uniquely designed to prevent this.
A blank stare
The unique feature thwarts keylogging and screen-capturing malware that may live on personal devices by scrambling keystrokes entered into a device and sending the attacker undecipherable text. It also prevents data exfiltration from screen shot malware by turning all screen shots into blank pictures.
With App Protection enabled, employees can stay productive by working on a personal, unmanaged endpoint without sacrificing security.
It’s being touted as the “new normal.” But for most companies and their employees, remote work is anything but. To help them adapt, Citrix Systems, has launched Remote Works, a new virtual series designed to share tips and best practices for staying engaged and productive while working from home.
“Working from home is perhaps the biggest change in the way business is done that the world has ever seen and the speed with which it moved from an experiment to a requirement has many companies reeling,” said Tim Minahan, Executive Vice President, Business Strategy and Chief Marketing Officer, Citrix.
“At Citrix, we have been enabling remote work for more than 30 years. And we’re committed to leveraging our experience to help businesses adjust and empower their employees to be and do their best no matter where they are working.”
A unique collection of engaging podcasts, on-demand webinars and interviews, Remote Works aims to provide companies with insights into what it takes to enable and support remote work and reap the benefits it can provide.
“Companies that invest in technology to provide access to the applications and information employees need to be informed, collaborate, and get work done from anywhere in a safe and secure manner can manage resources in the dynamic way that unpredictable business environments demand and position themselves well for the future,” Minahan said.
But it takes more than just technology to keep employees engaged and productive – particularly in uncertain and challenging times like these. Recognizing this, Remote Works takes on a broad range of topics, including:
- Employee experience
- Personal productivity
- Work-life integration
- Digital wellness
- Security and reliability
- Business readiness
“Remote work is top of mind for companies around the world. And while some see it as a short-term fix to the COVID-19 problem, smart companies recognize it may be a long-term solution as they plan for what promises to be a radically different future,” Minahan said.
“The very same approaches and technologies that are helping organizations keep their employees safe and connected and their businesses running during the current crisis will provide new levels of agility to capitalize on new opportunities and thrive in the future.”
In the blink of an eye, remote work went from an experiment to a requirement. And as the results of a recent survey conducted by OnePoll reveal, work has a completely new look as employees around the world adapt to the realities or working from home.
Beds have become desks, bathrooms serve as conference rooms, kids and pets crash virtual meetings and cameras thought to be off capture awkward moments and sounds. Yet, workers remain as, if not more, productive and engaged.
The new normal is not normal
Remote work has become the new normal. But for most employees, it is anything but. “It’s interesting, funny and novel to see your co-workers in their pajamas on a video call,” says Donna Kimmel, Executive Vice President and Chief People Officer, Citrix.
“But for remote work to work, employees need to get into a repeatable rhythm so they can be and do their best wherever they happen to be.
Remote work experiment: A new routine
With their daily commutes reduced from hours to minutes, the majority of the 2,000 US workers who participated in the research – comprised of office workers currently working from home due to the Coronavirus outbreak – are adapting their daily routines.
While 24 percent get up at the same time as they did when commuting to an office, the vast majority say they are working around a new clock:
- 25 percent sleep in a little more
- 22 percent sleep until the last possible moment they need to be online
They’ve also adjusted their personal routines and spend less time getting ready for work:
- 34 percent shower every day
- 26 percent continue to do hair/makeup/other grooming
- 15 percent shave less
And 25 percent of respondents say they can focus and get work done more quickly as a result.
Ready or not, here it comes
Few employees were ready for the abrupt remote work experiment that the coronavirus pandemic has forced. And while 82 percent of those who participated in the survey said their companies were “completely” or “fairly ready” and had the technology and infrastructure in place to enable it on short notice, they cited a number of issues that make working from home tough:
- Strict security protocols and lack of single sign-on, requiring multiple passwords and two-factor authentication to access apps (33 percent)
- Slow home broadband/Wi-Fi (33 percent)
- Lack of access to all the apps needed to get work done (23 percent)
- Slow VPN connection (16 percent)
The home as office
When it comes to remote work, technology is only a piece of the work-from-home puzzle. “In addition to providing a digital workspace that has all of the tools and data a person needs, it’s essential to create a physical one that fits individual work styles,” Kimmel says.
And the data shows employees are getting creative in doing so, as most are sharing space with others who have also been forced to work or learn from home, including:
- Partners (64 percent)
- Infants aged two and under (28 percent)
- Young children aged 3 to 12 (56 percent)
- Teenagers (13-17) (41 percent)
- Adult children (18 and over) (22 percent)
- Parents (23 percent)
- In-laws (19 percent)
- Elderly relatives (15 percent)
- Roommates (15 percent)
In addition, 14 percent of office workers reported temporarily working from their second/vacation home, 13 percent at their parents’ or in laws’ house and five percent are even sheltering in a hotel.
From the boardroom to the bathroom
To accommodate the schedules of their new officemates and minimize distractions, respondents said they have taken calls in unusual places:
- Their bedroom (33 percent) or their child’s room (25 percent)
- Bathroom (29 percent)
- Garage (24 percent)
- Basement (23 percent)
- Closet (17 percent)
- Attic (15 percent)
- Outside (14 percent)
Herding cats – literally
But this hasn’t prevented interruptions. Of those polled who said their children and pets have made appearances on video calls:
- Children (24 percent)
- Pets (13 percent)
- Both children and pets (29 percent)
Smile, you’re on candid camera
“I love seeing a formerly office-bound executive dive into a call in the kitchen — with shower hair, kids in the background, yet their razor-sharp savvy and perspective intact,” says Meghan M. Biro, Founder of Talent Culture.
“It’s fun to watch people be surprised by their own grit and resourcefulness. It’s also fun to keep it real. It takes some of the edge off our tremendous anxieties right now.”
But it can also lead to some awkward moments. Roughly 44 percent of workers have signed on to video meetings and not realized their cameras were on, only to be caught:
- Doing chores – cleaning, folding laundry, emptying the dishwasher, etc. (44 percent)
- In the bathroom (41 percent)
- Cooking (40 percent)
- Working out (38 percent)
- Eating (37 percent)
- Lying in bed or on the couch (33 percent)
I can hear you…
Many have also experienced embarrassing moments thinking they were on mute when their microphones were actually on and they could be heard:
- Making awkward noises (41 percent)
- Talking about someone on the call (37 percent)
- Talking to someone else in the room with them (28 percent)
What does working from home look like?
- 29 percent of those polled wear slippers or no shoes
- 28 percent get dressed in the same attire they would wear to the office
- 25 percent wear sweatpants or pajamas
- 25 percent get half-dressed so they can “look nice on video conferences”
- 24 percent wear workout clothes
The future of work?
And will it persist once the pandemic subsides?
- 37 percent of employees surveyed think their organizations will be more relaxed about working from home and 32 percent say they plan to do so more often
- 33 percent are eager to return to the office
- 28 percent indicated they will actively look for a new job that allows them to permanently work remote
As COVID-19 continues to spread, remote work is no longer an experiment, but a requirement in many nations. While it represents a huge change, the results of a research conducted by OnePoll and Citrix, reveal that a majority of employees around the world are adapting to working from home and believe it will become the new normal for the way work gets done.
“Remote work is not business as usual. It represents a totally new way of thinking and operating and can be a difficult adjustment for employees and employers to make,” says Donna Kimmel, Chief People Officer, Citrix.
“But business must go on, even in times of crisis. And as the research makes clear, companies that give their people the right tools can help them make the transition, empower them to be and perform at their best, and emerge stronger when conditions improve.”
Remote work: A new normal
As Kimmel notes, remote work is a completely new concept for most employees. Less than half of more than 10,000 workers polled in six countries indicated that they worked from home at least one day per week prior to the coronavirus outbreak:
- 33 percent (United States)
- 26 percent (France)
- 34.4 percent (Australia)
- 42.6 percent (Germany)
- 22.1 percent (Italy)
- 45 percent (United Kingdom)
Changing with the times
And they admit working remote has been an adjustment. Among the top challenges cited by respondents in all countries:
- Isolation from colleagues
- Lack of face-to-face interactions
- Difficulty separating work and personal lives
There are plenty of productivity issues that get in the way in the office. Yet the majority of employees believe that empowered with the right tools, they can stay engaged and be as or more productive working from home as they are in the office. Of those polled who said they work the same or more hours:
- 77 percent (US)
- 60.9 percent (France)
- 80.8 percent (Australia)
- 76.2 percent (Germany)
- 70.80 percent (Italy)
- 68.2 percent (UK)
More than half in all countries said their productivity levels are the same or higher:
- 69 percent (US)
- 62.9 percent (France)
- 69.6 percent (Australia)
- 74.20 percent (Germany)
- 78.9 percent (Italy)
- 62.70 percent (UK)
What are the right tools?
“You can have the best technology in the world. But if you don’t provide employees with resources to help them make the adjustment, they won’t use it and continue to engage and be productive,” Kimmel says.
“And this includes things like sharing tips on setting up a home office and providing flexible schedules to accommodate family responsibilities. Leveraging video conferencing and chat apps to drive richer communications.
“Hosting virtual office hours where employees can drop in on their managers like they would if they were in a physical location to ask questions or just vent.”
The research supports this notion, as employees polled called out the importance of the following as they adapt to the new model:
- Dedicated physical workspaces
- Single-Sign-On digital workspace where they can easily access all of the systems and applications they need to do their jobs
- Opportunities to connect and collaborate with colleagues in more personal ways such as virtual meetings and video chats
- More regular guidance/feedback from managers
Preparing for the future
The coronavirus pandemic has, in essence, created a forced experiment. Organizations that may have been reticent to consider remote work have come face-to-face with a situation that now requires it.
And while perhaps not their choice, the vast majority of respondents to the research believe it is the future of work. When asked if they believe working from home will be more common after the crisis, roughly two thirds of employees polled in all countries responded affirmatively.
“The world has definitely changed. And remote work may in fact be the new normal,” Kimmel says. “Companies that embrace the change and build a culture around it in which their employees are empowered with the tools, confidence and trust they need to adapt can weather these tough times and position themselves to thrive when better days return.”
Citrix and FireEye have teamed up to provide sysadmins with an IoC scanner that shows whether a Citrix ADC, Gateway or SD-WAN WANOP appliance has been compromised via CVE-2019-19781.
Finding evidence of compromise
By now it should be widely known that CVE-2019-19781 – aka “Shitrix” – is a real and present danger: exploits for it abound and attackers are using them, while we wait for fixes for all affected devices to be released.
Though the number of vulnerable Citrix endpoints is declining rather quickly, we don’t know have many have been compromised since the start of the attacks.
Nearly two weeks ago, TrustedSec created a list of locations and indicators to search for on potentially compromised Citrix ADC hosts and shared instructions on how to check for them.
Citrix’s and FireEye’s new tool makes the search for IoCs much easier.
About the CVE-2019-19781 IoC scanner
The IoC Scanner (as they call it) can be run directly on a live Citrix ADC, Gateway, or SD-WAN WANOP system, or can be used to inspect a mounted forensic image.
The tool can be used to inspect a mounted forensic image or on a live system. If used on the latter, it will scan files, processes, and ports for known indicators, and analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of the flaw.
Its output will tell users whether there is:
- Strong evidence of compromise (e.g., unexpected processes, listening UDP ports, web access logs showing exploit HTTP requests, etc.)
- Evidence of the system having been successfully probed for the flaw
- Evidence of unsuccessful vulnerability scanning (attempts to scan or exploit the system did not succeed).
“Remember, the tool will not make an assertion that a system has not been compromised. The tool will only state when IoCs are identified,” FireEye made sure to point out.
“It will also not provide formal malware family names of all malicious tools and scripts identified on compromised systems, nor will it identify the existence of all malware or evidence of compromise on the system. The tool is limited to the tool-related indicators that FireEye is aware of at the time of release of the tool or tool-related indicators.”
They did not say whether they intend to update it with new indicators as they become aware of them.
Also, they noted that “there are limitations in what the tool will be able to accomplish and therefore executing the tool should not be considered a guarantee that a system is free of compromise. For example, log files on the system with evidence of compromise may have truncated or rolled, the system may have been rebooted, or an attacker may have tampered with the system to remove evidence of compromise and/or installed a rootkit that masks evidence of compromise.”
But if the tool shows that IoCs are present, admins should definitely initiate a forensic investigation to determine the scope of the compromise.
As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24.
A short timeline before the situation update
CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local network from the internet, was responsibly disclosed last December.
At the time, Citrix only offered mitigations advice instead of fixes, but both security researchers and hackers eventually used them to discern the nature of the flaw and create exploits for it.
The number of publicly available exploits quickly rose in the coming days and they began to be deployed by attackers. At the same time, scans revealed tens of thousands of (still) vulnerable installations.
Citrix CISO Fermin J. Serna then announced that the first available fixes will land on January 20.
The current situation
Several days after rising attacks, FireEye researchers flagged a threat actor gaining access to vulnerable Citrix installations and removing known cryptocurrency miners from them.
Simultaneously, the threat actor downloads and deploys a utility (NOTROBIN) that block exploitation attempts against the CVE-2019-19781 vulnerability, as well as effectively setting up a backdoor that can only be used if one knows the right password (hardcoded key).
“Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries,” the researchers noted.
“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign.”
A similar attack, delivering partial fixes, was spotted recently by SANS ISC, as it was used on their honeypots.
In the meantime, Citrix confirmed that some SD-WAN WANOP versions (v10.2.6 and 11.0.3) are also vulnerable to CVE-2019-19781 as they include Citrix ADC as a load balancer, and that the offered mitigation steps will work on them.
Finally, on Sunday, the company released fixes for CVE-2019-19781 for ADC versions 11.1 and 12.0.
“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Serna pointed out.
He also said that the remaining fixes – for ADC version 12.1, 13, 10.5, and SD-WAN WANOP 10.2.6 and 11.0.3 – are scheduled to be released on January 24.
He also warned that the offered fixes can be used only on the indicated versions. “If you have multiple ADC versions in production, you must apply the correct version fix to each system,” he advised.
In the meantime, mitigations should be implemented and admins should check whether they’ve been successfully applied. Citrix has provided a tool that will help them do that.
By the way: CISA has released last week a utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. It’s available here.
Also: TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised through CVE-2019-19781.
With several exploits targeting CVE-2019-19781 having been released over the weekend and the number of vulnerable endpoints still being over 25,000, attackers are having a field day.
Do you use Citrix’s Application Delivery Controller (ADC) or Gateway? If you haven’t implemented the mitigations provided by the company, there’s a good change you might have been hit already.
Numerous CVE-2019-19781 exploits available
The existence of CVE-2019-19781 – humorously dubbed Shitrix by cybersecurity researcher Kevin Beaumont – was first made public in late December.
Discovered by Mikhail Klyuchnikov of Positive Technologies, the flaw has yet to be patched. In the meantime, Citrix offered mitigation advice to users.
CVE-2019-19781 is very bad news: it’s easy to exploit and can lead to remote code execution. The exploit published by TrustedSec “works well” and establishes a reverse shell, SANS ISC’s Johannes Ullrich noted.
“We do see heavy exploitation of the flaw using variations of both exploits. Most attempts follow the ‘Project Zero India’ pattern, which is likely simpler to include in existing exploit scripts. Much of the scanning we have been seen so far is just testing the vulnerability by attempting to run commands like ‘id’ and ‘uname’,” he shared.
“A few exploits attempted to download additional code. I was successful retrieving one sample so far, a simple Perl backdoor.”
SANS ISC handler Didier Stevens shared an overview of the payloads delivered by the attackers. AlienVault has consolidated indicators of compromise from a number of reports of recent exploitation of the flaw.
Implement mitigations, check for compromise
Citrix CISO Fermin J. Serna urged users to go through the offered mitigation steps and said that they are working on developing permanent fixes.
“As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested,” he noted, and said that the first fixes (in the form of refresh builds) are scheduled to be released on January 20, then followed by the rest on January 27 and 31.
TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised.
You might also want to peruse Beaumont’s advice:
Citrix Gateway and ADC vulnerability aka #Shitrix – a thread of some things which are catching out defenders:
— Kevin Beaumont (@GossiTheDog) January 12, 2020
Nearly a month has passed since Citrix released mitigation measures for CVE-2019-19781, a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway, which could lead to remote code execution.
The end of the year festivities and holidays can be blamed for the announcement not receiving a lot of attention, but those have now passed and, according to SANS ISC and security researcher Kevin Beaumont, there are attackers out there scanning for vulnerable systems and probing them (reading sensitive credential configuration files).
About the vulnerable products
Citrix Application Delivery Controller (formerly NetScaler ADC) is an application delivery and load balancing solution.
Citrix Gateway (formerly NetScaler Gateway) is a secure remote access network gateway solution that is offered as a cloud service or an on-premises solution.
Citrix confirmed that CVE-2019-19781 affects:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and reported to Citrix late last year.
PT says that the vulnerability may allow unauthenticated attackers to obtain direct access to the company’s local network from the internet.
“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server,” they explained, but did not share more specific details about the flaw.
Citrix has published mitigation advice, though, and Tripwire security researcher Craig Young has used it to deduce the underlying problem and realize that a working exploit can be as simple as chaining two HTTPS requests to take advantage of what is, partly, an issue of insufficient access control.
What to do?
As Citrix is yet to release actual fixes, enterprise admins are advised to peruse the company’s mitigation advice and implement it as soon as possible, then upgrade all of their vulnerable appliances to a fixed version when one is released (though they didn’t say when that may be).
PT says that web application firewalls can be used to fend off potential attacks by blocking all dangerous requests.
“Considering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important,” they added.
When the vulnerability was first made public, PT scanned the internet for vulnerable installations and found that over 80,000 companies (predominantly North American) run them.
Young’s more recent scanning revealed over 58,000 exposed Citrix appliances, less than a third of which had the mitigation enabled.
“39,378 of the 58,620 scanned IPs were apparently vulnerable. To put this in perspective, I correlated the IP addresses with their certificate data and found more than 26,000 unique subject common name values. The list contains countless high value targets across a swath of verticals including finance, government, and healthcare,” he noted.
“It is alarming that so many organizations are currently at risk in such a sensitive part of their organization. Each one of these devices is an opportunity for criminals or spies to gain access to restricted networks and impersonate authorized users. I would strongly advise all organizations with NetScaler/ADC to apply the mitigation immediately to avoid compromise.”
Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Here’s a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.
The notice sent to ShareFile users looked like this:
Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didn’t understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.
I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.
A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).
More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using its most robust form of multi-factor authentication (single sign-on solutions, or SSOs). To wit:
“This is not in response to a breach of Citrix products or services,” wrote spokesperson Jamie Buranich. “Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.”
The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended by the National Institute of Standards and Technology (NIST), which warns:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
NIST explains its rationale for steering organizations away from regular forced password resets thusly:
“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”
“But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”
In short, NIST says it makes sense to force an across-the-board password reset following a breach — either of a specific user’s account or the entire password database. But doing so at regular intervals absent such evidence of compromise is likely to result in less complex and secure passwords.
Ideally, ShareFile users who received a password reset notice may be able to avoid the next round of password resets by adopting one of the two-step authentication options mentioned above. And I hope it goes without saying, but please don’t re-use a password you used anywhere else.
However, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.
Incidentally, there are several companies — such as auth0 and Okta — that make it easy to integrate with breached password databases like Troy Hunt’s HaveIBeenPwned.com to help proactively prevent users from picking passwords they have used at other sites (or at least at other sites that have been breached publicly).
Whether online merchants are willing to adopt such preemptive approaches is another matter, said Julie Conroy, research director with the Aite Group, a market analyst firm.
“With the reality that such a vast swath of username/password combinations have been compromised, this creates the potential for a ton of inline friction, something that is an anathema to merchants, and which banks work hard to stay away from as well,” Conroy said.
Update: 4:53 p.m. ET: Citrix just published its own blog post about this here.