November 1, 2023 at 02:49PM
Threat actors are targeting government, technical, and legal organizations globally by exploiting the ‘Citrix Bleed’ vulnerability (CVE-2023-4966) in Citrix NetScaler ADC and Gateway appliances. The attacks have been ongoing since August 2023 and involve credential theft and lateral movement. The attacks are difficult to detect due to limited forensic evidence. Security updates alone are insufficient to address the breaches, and a full incident response is necessary. For system restoration guidance, refer to Mandiant’s remediation guide.
Key Takeaways from Meeting Notes:
1. Threat actors are actively exploiting the ‘Citrix Bleed’ vulnerability (CVE-2023-4966) to target government, technical, and legal organizations worldwide.
2. Four ongoing campaigns have been identified targeting vulnerable Citrix NetScaler ADC and Gateway appliances since late August 2023.
3. Post-exploitation activities include credential theft and lateral movement, and these attacks are particularly stealthy, leaving behind limited forensic evidence.
4. The CVE-2023-4966 vulnerability allows access to sensitive information on the affected Citrix devices, and hackers exploit it to hijack authenticated sessions and bypass multifactor protection.
5. The attacks can be carried out without requiring user interaction and are low-complexity.
6. It is challenging to investigate the exploitation of CVE-2023-4966 due to the lack of logging on the appliances. Web application firewalls (WAF) and network traffic monitoring tools are required to log and determine if a device has been exploited.
7. Attackers employ living-off-the-land techniques and commonly-used administrative tools to remain stealthy. An analysis of WAF requests, login patterns, Windows Registry entries, and memory dump files can help identify exploitation attempts.
8. After exploiting the vulnerability, the attackers engage in network reconnaissance, credential theft, and lateral movement via RDP.
9. The threat actors use various tools during the attack, including net.exe, netscan.exe, 7-zip, certutil, e.exe, d.dll, sh3.exe, FREEFIRE, Atera, AnyDesk, and SplashTop.
10. The deployment of these tools, particularly FREEFIRE, can indicate a compromise or breach.
11. Four distinct threat actors have been identified, overlapping in the post-exploitation stage. Commonly used tools include csvde.exe, certutil.exe, local.exe, and nbtscan.exe, with two clusters of activity also using Mimikatz.
12. Applying security updates alone will not address existing breaches, and a full incident response is required.
13. For guidance on system restoration, Mandiant’s remediation guide is recommended.
Please note that this is a summary of the meeting notes and may not include all details.