October 18, 2023 at 02:52PM
There is an active attack targeting a critical security vulnerability in Citrix NetScaler that was patched last week. The vulnerability allows cyber attackers to hijack authenticated sessions, potentially bypassing multifactor authentication. While the patch helps mitigate the issue, organizations are advised to terminate all active sessions to fully remediate the vulnerability. The attacks have been ongoing since August and are primarily focused on cyberespionage. There is a concern that other threat actors may exploit the vulnerability for financial gain. It is important for organizations to promptly address vulnerabilities in Citrix gear, as previous incidents have shown a lag in patching and subsequent credential-theft attacks.
Key Takeaways from the Meeting Notes:
1. There is an active attack targeting a critical security vulnerability (CVE-2023-4966) in Citrix NetScaler. The bug, with a CVSS score of 9.4, cannot be fully fixed by patching alone.
2. Mandiant recommends terminating all active sessions to mitigate the exploitation of CVE-2023-4966. Authenticated sessions can persist even after applying the patch, allowing threat actors to authenticate using stolen session data until the sessions are terminated.
3. The vulnerability allows cyber attackers to hijack existing authenticated sessions and potentially bypass multifactor authentication (MFA) in NetScaler environments. This grants them full control over application delivery within enterprises.
4. Attacks exploiting this bug have been observed since August and are believed to be focused on cyber espionage, targeting professional services, technology, and government organizations. Mandiant anticipates that other threat actors with financial motivations may also exploit this vulnerability in the future.
5. It is important to note that organizations have had a poor track record in mitigating known threats against Citrix gear. Recent incidents involving CVE-2023-3519 highlight this, where attackers targeted the vulnerability even after it was patched, resulting in thousands of credential-theft attacks.
6. Customer-managed Citrix NetScaler ADC and NetScaler Gateway installations are affected by the current security bug, while cloud instances are not. The Citrix bug advisory provides further information on the versions that have been patched.
7. Mandiant has provided updated remediation guidance regarding CVE-2023-4966 to help organizations address the issue effectively.
In summary, the meeting notes highlight an ongoing active attack targeting a critical security vulnerability in Citrix NetScaler. Organizations are advised to take immediate action, including terminating active sessions and following the recommended remediation guidance.