NetScaler and Citrix Device Vulnerability Exploited by LockBit and Nation-State Groups
Experts are cautioning that unpatched NetScaler devices are under attack by nation-state and cybercriminal groups. The manufacturer of NetScaler has once again urged all users to immediately patch their devices, among other security measures.
This warning pertains to all self-managed NetScaler Application Delivery Controller and Gateway devices, which are owned by Cloud Software Group. The company encompasses NetScaler and Citrix as business units.
The urgency to patch these devices follows the issuance of a security alert and patch for CVE-2023-4966, also known as Citrix Bleed, by NetScaler on October 10. This vulnerability affects both NetScaler ADC and Gateway products, previously known as Citrix ADC and Citrix Gateway. Prior to the release of the patch, both the U.S. Cybersecurity and Infrastructure Security Agency and Google Cloud’s Mandiant threat intelligence unit reported active exploitation of the flaw in the wild.
Subsequently, NetScaler released an alert in response to reports that multiple groups, including the LockBit ransomware group, have been exploiting unpatched NetScaler devices. This exploitation not only allows attackers to gain remote access but also to steal session tokens for later access, even post-patch.
According to experts, almost every NetScaler ADC and Gateway device was potentially infiltrated before the patch was released. British security researcher Kevin Beaumont emphasized the severity of the situation, stating that “somebody harvested session tokens from almost every box on the internet.”
LockBit ransomware has been reported breaching some of the world’s largest organizations by employing the vulnerability. They have done so in a coordinated fashion across multiple operators, ultimately holding these organizations to ransom.
The vulnerability enables attackers to extract valid session tokens from vulnerable internet-connected devices. The compromised session tokens can be used to impersonate active sessions, bypass authentication – even multifactor – and gain complete access to the device. This vulnerability can persist even after patching and rebooting the device, as copied tokens will remain valid unless further actions are taken to mitigate the risk.
In response to the active exploitation of the vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency acknowledged that both nation-state and criminal groups are focused on leveraging the Citrix Bleed vulnerability. The agency has been actively assisting victims with remediation efforts.
Further reports from threat intelligence firm GreyNoise indicate a steady volume of attempts to exploit CVE-2023-4966. There are an estimated 5,000 organizations running unpatched NetScaler ADC or Gateway devices.
As attackers exploit Citrix Bleed, it is leading to post-intrusion activities, including network reconnaissance, theft of account credentials, lateral movement via RDP, deployment of remote monitoring and management tools, and high-profile ransomware infections from LockBit.
NetScaler has urged organizations that have yet to patch their devices to terminate or invalidate all active sessions and review their logs for signs of compromise. Additionally, the company recommends that all organizations, regardless of when they patched, check for web shells or backdoors left behind by attackers and secure their systems.
NetScaler has also published recommendations to assist users in investigating exploits of CVE-2023-4966 within their environment. This includes looking for patterns of suspicious session use in monitoring and visibility tools, particularly related to virtual desktops if they are configured.
In light of the approaching holidays and year-end change freezes, NetScaler is strongly urging its customers to follow the remediation guidance for CVE-2023-4966 and best practices for securing their devices.
The urgency of patching and taking proactive security measures cannot be understated, especially in the face of continued and coordinated exploitation of this known vulnerability. Organizations are advised to act swiftly to protect their networks and sensitive data from potential compromise.