October 31, 2023 at 04:48PM
The critical information-disclosure bug known as Citrix Bleed is being heavily exploited. Over 5,000 vulnerable servers have been identified on the public internet. Even after patching the flaw, session tokens can still be used. Multiple ransomware gangs are involved in the mass exploitation, and the vulnerability is being targeted across various sectors using different tools. The US government lists the vulnerability as “unknown” in relation to ransomware campaigns.
Summary:
Citrix Bleed, a critical information-disclosure bug, is now being mass exploited by attackers. Thousands of vulnerable Citrix NetScaler instances have been identified on the internet. Despite patching the flaw, session tokens persist, allowing attackers to impersonate authenticated users. At least two ransomware gangs are involved in this mass exploitation. Security firm Mandiant is tracking four separate groups exploiting the vulnerability across various sectors. The Google-owned threat-intel team suspects that the number of impacted organizations is far greater. Mandiant has provided ways to check for exploitation within networks but warns that patterns of suspicious activity may differ. The US government’s Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited and Vulnerabilities Catalog. Criminals have been exploiting the flaw since August, mainly for cyber espionage, but financial motivations are expected to drive more attacks in the future. Citrix has not responded to inquiries from The Register regarding the bug’s exploitation by ransomware groups.