November 21, 2023 at 11:41AM
Admins who have patched their NetScaler appliances against the Citrix Bleed vulnerability must take additional measures to secure their devices. Citrix advises wiping all previous user sessions and terminating active ones to prevent attackers from accessing compromised devices. The flaw has been actively exploited since late August, and compromised sessions can enable lateral movement across networks or compromise other accounts. The LockBit ransomware gang is also exploiting the vulnerability, with Boeing among the affected organizations. Over 10,000 Internet-exposed Citrix servers were recently vulnerable to attacks.
Key takeaways from the meeting notes:
1. Admins who have patched their NetScaler appliances against the CVE-2023-4966 ‘Citrix Bleed’ vulnerability must take additional measures to secure vulnerable devices. This includes wiping all previous user sessions and terminating all active sessions.
2. Attackers have been stealing authentication tokens in Citrix Bleed exploitation, allowing them continued access to compromised devices even after patching.
3. The Citrix flaw was patched in October, but it has been actively exploited as a zero-day since at least late August 2023.
4. Compromised NetScaler sessions persist even after patching, which enables attackers to move laterally across the network or compromise other accounts with the same permissions.
5. Customers are advised to upgrade immediately to the latest versions and remove any active or persistent sessions.
6. The LockBit ransomware gang is exploiting the Citrix Bleed security flaw, as confirmed by CISA, the FBI, MS-ISAC, and ACSC. They have shared indicators of compromise and detection methods to help defend against these attacks.
7. Boeing experienced a network breach in October where LockBit exploited the Citrix Bleed vulnerability, resulting in stolen data being leaked on the dark web after the company refused to comply with the ransomware gang’s demands.
8. CISA received files for analysis that show the methods used by attackers to exploit the CVE-2023-4966 vulnerability, including saving registry hives, dumping LSASS process memory to disk, and attempts to establish sessions via WinRM.
9. Over 10,000 Internet-exposed Citrix servers were vulnerable to Citrix Bleed attacks a week ago, according to security researchers.