Citrix has issued a reminder to administrators that, in addition to applying necessary security updates to their NetScaler appliances, they must also terminate all previous and active user sessions to secure their devices against attacks. The warning comes in light of the 'Citrix Bleed' vulnerability (CVE-2023-4966) which has been actively exploited by attackers to steal authentication tokens, thereby gaining access to compromised devices post-patching.
The vulnerability was patched by Citrix in early October, however, Mandiant revealed that it had been under active exploitation since at least late August 2023. Mandiant also highlighted that compromised NetScaler sessions remain active even after patching. This allows attackers to move laterally across the network or compromise other accounts, depending on the permissions of the compromised accounts. Citrix advised, "If you are using any of the affected builds listed in the security bulletin, you should upgrade immediately by installing the updated versions. After you upgrade, we recommend that you remove any active or persistent sessions."
This is the second time Citrix has issued a warning to customers to terminate all active and persistent sessions. The LockBit ransomware gang is reportedly exploiting the Citrix Bleed security flaw, as warned by CISA and the FBI in a joint advisory with the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the Australian Cyber Security Center (ACSC). The advisory also provides indicators of compromise and detection methods to help defenders against the ransomware group's attacks.
In October, Boeing experienced a breach in its network due to a Citrix Bleed exploit by the LockBit gang, resulting in 43GB of data being stolen and subsequently leaked on the dark web after Boeing refused to comply with the ransomware gang's demands. The joint advisory warns, "Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization."
In response to the recently disclosed CVE-2023-4966 affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA analyzed four files that reveal attempts to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and establish sessions via Windows Remote Management (WinRM). As per security researchers, over 10,000 Internet-exposed Citrix servers were vulnerable to Citrix Bleed attacks a week ago.