Executive Summary
Experts are warning that nation-state and cybercrime groups are attacking unpatched NetScaler devices. The attackers exploit a vulnerability identified as CVE-2023-4966, and known as Citrix Bleed, which affects NetScaler ADC and Gateway products. Remarkably, it has a CVSS score of 9.4.
NetScaler has previously released a patch and urged users to address it. It is worth mentioning that the patch also includes CVE-2023-4967, a Denial of Service (DoS) vulnerability. This vulnerability has a CVSS score of 8.2.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Google Cloud’s Mandiant have identified active exploitation of this vulnerability before the official patch was released.
Unpatched NetScaler devices have become a target for various groups, including the LockBit ransomware group. They aim to gain remote access and extract session tokens. NetScaler ADC and Gateway devices are breached globally, resulting in the extraction of session tokens from numerous devices.
If your organisation has yet to implement these critical patches, now is the time!
The Citrix Bleed
Citrix Bleed allows attackers to steal valid session tokens, bypass multi-factor authentication, and gain complete access to vulnerable devices. Thus, it poses a significant threat.
Exploitations of Citrix Bleed trigger activities like network reconnaissance, credential theft, lateral movement, and even ransomware infections. Moreover, the exploits have led to breaches in large organisations.
This week, CISA released a joint advisory providing comprehensive technical details about the the exploits.
Surprisingly, CISA’s vulnerability warning program found nearly 300 organisations with exposed NetScaler devices. Boeing’s confirmation of an incident linked to LockBit affiliates exploiting CVE-2023-4966 underscores the gravity of the situation.This also highlights the need for collaboration and information sharing among potential victims.
Please refer to our recent article for more information about the Citrix Bleed.
Urgent Call for Action
Experts strongly recommend organisations to patch their NetScaler devices immediately. It’s paramount to terminate or invalidate all active sessions and meticulously review logs for signs of compromise.
Please see Citrix’s security bulletin for more information about the patch.
Additional Recommendations:
Experts also encourage organizations to scrutinize for any web shells or backdoors attackers left, regardless of their patching timeline. This is because exploits were available before the patch release. Moreover, NetScaler offers practical suggestions for investigating exploits, including a focus on monitoring tools for patterns of suspicious session use.
- Volkswagen Cyberattack Linked to Chinese Hackers
- Okta Security Breach: A Lesson in Cybersecurity Vigilance
- Open-Source Organizations Collaborate to Strengthen Digital Supply Chain
- [CVSS 10] Palo Alto Backdoor Zero-Day Patch
- [CVSS 9+] Industrial Control Systems Advisories from CISA
- [CVSS 9+] Devastating Cyberattack by Russian Hackers Hits Denmark’s Energy Sector