Threat researcher Kevin Beaumont has been tracking attacks against various companies, including the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing, and found they had something in common.
These were exposed Citrix servers vulnerable to the Citrix Bleed flaw, which he says the LockBit ransomware gang is exploiting attacks. This was further confirmed by the Wall Street Journal, which obtained an email from the U.S. Treasury sent to select financial service providers, mentioning that LockBit was responsible for the cyberattack on ICBC, which was achieved by exploiting the Citrix Bleed flaw.
What is Citrix Bleed?
Citrix Bleed was disclosed on October 10 as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling access to sensitive device information.
Mandiant reported that threat actors started exploiting Citrix Bleed in late August when the security flaw was still a zero-day. In the attacks, hackers used HTTP GET requests to obtain Netscaler AAA session cookies after the multi-factor authentication stage (MFA).
Citrix urged admins to protect systems from this low-complexity, no-interaction attacks. On October 25, external attack surface management company AssetNote released a proof-of-concept exploit demonstrating how session tokens can be stolen.
CVE-2023-4966 has become a severe problem
At the time of writing, more than 10,400 Citrix servers are vulnerable to CVE-2023-4966, according to findings from Japanese threat researcher Yutaka Sejiyama shared with BleepingComputer.
The majority of the servers, 3,133, are in the U.S., followed by 1,228 in Germany, 733 in China, 558 in the U.K., 381 in Australia, 309 in Canada, 301 in France, 277 in Italy, 252 in Spain, 244 in the Netherlands, and 215 in Switzerland.
Sejiyama’s scans have revealed vulnerable servers in large and critical organizations in the above and many other countries, all of which remain unpatched over a full month following the public disclosure of the critical flaw.
How to protect yourself from the Citrix Bleed vulnerability
Here are the steps you can take to protect yourself from CVE-2023-4966:
- Update your NetScaler ADC and NetScaler Gateway builds to the recommended versions. You can find these versions in the security bulletin
- Kill all active and persistent sessions. You can do this by using the following commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
- Follow the NetScaler secure configuration and deployment guide as this guide can help you to configure your NetScaler devices in a way that is more secure
Organizations and users should also consider using a zero-trust security model, implementing a robust data loss prevention (DLP) solution, and educating employees about ransomware and how to identify and avoid phishing attacks.
Advertisement
I’m Manas Ranjan Sahoo: Founder of “Webtirety Software”. I’m a Full-time Software Professional and an aspiring entrepreneur, dedicated to growing this platform as large as possible. I love to Write Blogs on Software, Mobile applications, Web Technology, eCommerce, SEO, and about My experience with Life.