CitrixBleed Attacks

What is CitrixBleed? 

No doubt you will have heard of the zero-day exploitation of the vulnerability CitrixBleed (full name CVE-2023-4966). It has been nick named CitrixBleed because the vulnerability has been found responsible for leaking sensitive data from NetScaler appliances’ memory, including session cookies. This has been exploited and used in many recent and high-profile session hijacking attacks in the wild. No surprise we’re writing about it then!

What do you need to know? In this article we’ll cover what happened, who was affected, why it happened and more importantly how you can protect your own systems and networks.

CitrixBleed. What happened?

It all started when a new patch was announced to fix the remotely exploitable CitrixBleed vulnerability. Bad actors immediately had visibility on what had changed with the patch update, and hence were able to go after all the devices that that had not yet been updated. 

It is thought there are four main groups working on these attacks, including the ransomware gang Medusa, and the Russian based group, LockBit. The attacks are of relatively low complexity according to experts. They are easy to launch but yield great rewards for the criminal gangs, some of whom say they have already been paid in ransom. 

Palo Alto’s Unit 42 reports: “…our researchers observed nearly 8,000 IP addresses advertising a vulnerable version of NetScaler Gateway and 6,000 IPs advertising NetScaler ADC devices. The largest number (3,100) of these devices are located in the United States, 800 are in Germany, 450 in China and 400 in the United Kingdom.”

What is the impact of the CitrixBleed Attacks?

There have been multiple successful attacks on CVE 2023 4966 which in all instances, resulted in complete takeover of legitimate user sessions on NetScaler ADC and other gateway appliances. Similar to an Adversary in the Middle (AiTM) attack, hackers used session cookies (pre-authenticated tokens) to bypass the use of passwords and the process of multi-factor authentication (MFA). 

According to Mandiant, the post-exploitation tactics, techniques, and procedures (TTP) they identified included:

• Host and network reconnaissance
• Environmental credential harvesting
• Lateral movement via remote desktop protocol (RDP)
• Active Directory reconnaissance 

Mandiant also highlight challenges with the number of logs available on NetScaler, making it difficult to investigate:

‍

Who has the CitrixBleed Exploitation Impacted?

There are victims from all industries and some significant names in amongst the 20,000 users hit.

Criminal gang LockBit claims to have hacked into the U.S. branch of Industrial and Commercial Bank of China (ICBC) and received a ransom from the organization due to the acute disruption caused by their attack which stopped the bank from being able to clear funds. This is yet to be confirmed by the bank, though they admit the breach. ICBC are not alone. Other affected businesses include organisations such as Boeing, DP World, Allen & Overy.

Mitigation & Solutions

1. The very first thing any organization should do if they are using the ubiquitous gateways, is install the patch! There are several impacted appliances. 
2. Next is revoking credentials for identities that have access to resources via the vulnerable NetScaler ADC or Gateway. 

As per the update from Mandiant “Organizations should prioritize credential rotation for a larger scope of identities if single factor authentication (SFA) remote access is allowed for any resources from the Internet.” 

This is where AuthN by IDEE makes a crucial difference. It protects remote access just as other access channels with best-level-security phish-proof MFA. There is no need for credential rotation after a breach as there’s no credential for an attacker to steal.

To check whether your hardware is affected and for more details on what to do visit: 

https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966 
https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed

For more about how AuthN by IDEE can help your organization, please reach out. You can also checkout the Phish-proof white paper which explains the AuthN architecture and just why and how AuthN is phish-proof MFA that can be deployed with no additional agents and provides users a way to easily authenticate on one single device. 

‍