Skip to content

Search the site

Citrix Bleed: Two ransomware groups now exploiting bug for initial access

Here's what you need to do to reduce the threat posed by CVE-2023-4966. But don't delay.

Attackers are stepping up their attempts to target a critical flaw affecting some Citrix Netscaler appliances – with two ransomware groups now reported to be exploiting the vulnerability for initial access.

While the patches have now been available for three weeks, attackers are apparently ramping up their use of the flaw, known as ‘Citrix Bleed’ by some security companies, which could lead to the disclosure of sensitive information.

On October 10, Citrix released a security bulletin for the vulnerability - CVE-2023-4966 – which affects some NetScaler ADC and NetScaler Gateway appliances. Citrix rates the flaw as ‘critical’ with a 9.4 CVSS score.

“If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds because this vulnerability has been identified as critical. No workarounds are available for this vulnerability,” NetScaler said.

The affected devices include:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Security researcher Kevin Beaumont said that two ransomware groups are now “actively” exploiting the flaw for initial access. He said one security vendor was tracking a ransomware group which was distributing a Python script to automate the attack chain. From talking to multiple organisations, he said in a blogpost, “they are seeing widespread exploitation”.

Security company Mandiant said that it had identified zero-day exploitation of this vulnerability since late August 2023.

It said that successful exploitation of the flaw could give attackers the ability to hijack existing authenticated sessions, allowing them to bypassing multifactor authentication or other strong authentication requirements. It noted that these sessions could persist even after the update to mitigate CVE-2023-4966 has been deployed. 

“Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor,” warned Mandiant at the time. It said that it had seen the flaw used against professional services, technology, and government bodies.

“The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment,” Mandiant warned.

Mandiant has set out some guidance for remediating the flaw. Its advice includes:

Isolate NetScaler ADC and Gateway appliances for testing and preparation of patch deployment. It said that if the vulnerable appliances cannot be prioritized for patching, they should have ingress IP address restrictions enforced to limit the exposure and attack surface until the necessary patches have been applied.

Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest firmware versions, which mitigate the vulnerability. Post upgrading, terminate all active and persistent sessions, per appliance.

Consider credential rotation. Mandiant said due to the lack of available log records or other artifacts of exploitation, as a precaution, organizations should consider rotating credentials for identities that were provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance.

See also: Threat group is installing a backdoor in compromised Cisco router firmware. NSA says get better kit