November 22, 2023 at 07:12AM
Authorities in Australia, the US, and tech company Citrix have issued warnings about a critical vulnerability in the NetScaler product. Dubbed CitrixBleed, the bug allows information disclosure and affects Netscaler ADC and Gateway appliances configured as a gateway or AAA server. The flaw, which has been exploited since August and mass exploitation began around three weeks ago, enables session hijacking and bypasses authentication. Both Citrix and the agencies recommend patching as soon as possible. The ransomware gang LockBit has been exploiting the vulnerability, targeting organizations in various sectors, including aerospace company Boeing.
Key Takeaways from Meeting Notes:
– Australian and US government agencies, along with Citrix, have issued warnings about a critical vulnerability in the NetScaler product.
– The vulnerability, known as CitrixBleed (CVE-2023-4966), which has a CVSS score of 9.4, allows for information disclosure and affects Netscaler ADC and Gateway appliances configured as a gateway or AAA server.
– The flaw, which was patched in October, had been exploited as a zero-day since August, with mass exploitation starting around three weeks ago.
– Threat actors have been using the vulnerability to perform session hijacking and bypass authentication, including multi-factor authentication (MFA).
– Citrix urges administrators to apply the available patches as soon as possible, as there has been a sharp increase in attempts to exploit the vulnerability.
– LockBit, a ransomware gang, has been targeting the CitrixBleed vulnerability.
– LockBit used CitrixBleed to gain initial access to Boeing Distribution Inc. and execute a PowerShell script for malware deployment.
– By taking over legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.
– The US cybersecurity agency CISA, FBI, MS-ISAC, and ACSC have provided indicators of compromise (IoCs) associated with the LockBit attack on Boeing and recommend immediate patching and hunting for evidence of compromise.
– Administrators are advised to update to the recommended versions of NetScaler ADC and Gateway, as provided by Citrix, and remove any active or persistent sessions to fully mitigate the vulnerability.
– It is important to note that session cookies may persist in memory even after the update, so additional precautions should be taken to ensure security.