Both Citrix and the U.S. government are urging security teams to take a number of defensive measures as threat actors continue to widely target the known Citrix Bleed vulnerability in Netscaler ADC and Gateway appliances.
On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released detection methods and IoCs to help network defenders hunt for malicious activity associated with exploits of this flaw. Citrix on Monday urged impacted customers to update, but also recommended that they remove any active or persistent sessions and look for patterns of suspicious session use across their monitoring or visibility tools to sniff out potential exploitation.
The critical-severity flaw (CVE-2023-4966) was first disclosed by Citrix on Oct. 10, when the company released patches. However, since at least August a number of threat actors have targeted the flaw to infect professional services, technology and government organizations. Then, starting around Oct. 25, the Shadowserver Foundation noted a sharp increase in attempts to exploit the flaw.
“Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks,” according to CISA on Tuesday.
Last week, it was also reported that LockBit ransomware affiliates were targeting this flaw in order to hit major companies like aerospace conglomerate Boeing. CISA’s joint cybersecurity advisory (CSA), released in conjunction with the FBI, MS-ISAC and and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), highlighted the specific TTPs and IoCs associated with these attacks, in order to help security teams uncover attacks in their own environments.
“This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing,” said CISA. “Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.”
The flaw stems from an unauthenticated buffer-related issue and could enable sensitive information disclosure. Threat actors can exploit the flaw to hijack existing authenticated sessions and bypass multi-factor authentication and password requirements. They can also acquire elevated permissions in order to steal credentials, perform lateral movement and other malicious activities.
LockBit ransomware affiliates, for their part, have exploited the flaw to access the valid cookies and establish an authenticated session within NetScaler appliances sans username, password or MFA token access. Post-compromise, they have attempted to obtain operating system and hardware information (such as versions and patches), leveraged a number of remote management and monitoring tools like AnyDesk and Splashtop and used the Windows utility mshta.exe to execute HTA files.
A number of mitigations also exist for impacted organizations, and they should isolate their Netscaler ADC and Gateway appliances for testing until they are able to patch, according to CISA.