Federal cyber officials warned on Tuesday that nation-state hackers and cybercriminal gangs are both taking advantage of a vulnerability affecting Citrix products.
Since several government agencies and large corporations were leaving their appliances exposed to the internet, leaving them vulnerable to attacks, the “Citrix Bleed” bug has been causing concern for weeks.
A cybersecurity advisory regarding the LockBit ransomware gang’s exploitation of CVE-2023-4966, which affects NetScaler ADC and NetScaler Gateway appliances, was released on Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and Australian cybersecurity officials. Businesses use the products to control network traffic.
Nation-state hackers and cybercrime organizations like LockBit are both taking advantage of the vulnerability, according to CISA Executive Assistant Director for Cybersecurity Eric Goldstein during a press conference on Tuesday.
Although thousands of organizations remain susceptible, Goldstein noted that over 300 entities have received alerts about their exposure to the problem via CISA’s Ransomware Vulnerability Warning Programme.
Earlier this month, LockBit exploited a vulnerability in order to attack Boeing’s parts and distribution business, making it one of the major targets.
In their advisory on Tuesday, CISA and the FBI stated that Boeing had willingly provided details from their attack, verifying that hackers had used the most recent version of the LockBit 3.0 ransomware to take advantage of CVE-2023-4966 in order to gain initial access to Boeing Distribution Inc.
It is confirmed in the advisory that “similar activity impacting their organization has been observed by other organizations.”
The agencies claimed that Citrix Bleed, which is allegedly used by LockBit 3.0 affiliates, enables threat actors to get around multifactor authentication (MFA) and password requirements, successfully hijacking the sessions of authentic users on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.
Malicious actors obtain higher permissions to move laterally, gather credentials, and access resources and data by taking over authentic user sessions.
The agencies asked all organizations to apply any necessary software updates as soon as possible and to isolate their NetScaler ADC and Gateway appliances.
The advisory and earlier reports from security firm Mandiant state that attacks related to Citrix Bleed started in August.
Even after Citrix released a security bulletin in October indicating that the bug was 9.4 out of 10 on the CVSS severity scale, research tool ShadowServer reveals that as of November 2, thousands of instances using the tool were still susceptible to the problem, with nearly 2,000 of those instances being in North America alone. On October 18, CISA gave a deadline of November 8 for all federal civilian agencies to fix the bug.
At least two ransomware gangs are currently attempting to take advantage of the vulnerability in attacks, according to cybersecurity expert Kevin Beaumont, who made this statement earlier this month. Mandiant discovered four distinct groups making these attempts.
“It’s point-and-click easy access to Remote Desktop inside org firewalls without generating any alerts or logs; people are going crazy with it,” wrote Beaumont.
On Tuesday, CISA affirmed that assessment and issued a warning, stating that they “expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks” due to the vulnerability’s ease of exploitation.
LockBit actors were observed utilizing Splashtop and AnyDesk remote management and monitoring tools to obtain additional access after they were inside.
“Compared to Windows threats, which are much more general in nature, Linux ransomware is clearly aimed at medium and large organizations,” security researcher Marc Salinas Fernandez stated.
Analysis of several families of ransomware that target Linux “reveals an interesting trend towards simplification, where their core functionalities are often reduced to just basic encryption processes, thereby leaving the rest of the work to scripts and legitimate system tools.”
According to Check Point, the minimalist strategy not only makes these ransomware families more susceptible to being overlooked but also makes them significantly dependent on external configurations and scripts.
For Emphasis Patching is insufficient
CISA provided comprehensive remediation guidance, detection techniques, and indicators of compromise (IOCs) for Citrix Bleed, and Citrix reiterated in its advisory that patching alone will not protect affected instances because compromised NetScaler sessions will remain vulnerable even after patching. These actions were taken in the midst of intense attack activity.
“If you are using any of the affected builds listed in the security bulletin, you should upgrade immediately by installing the updated versions,” Citrix stated on Nov. 20. “After you upgrade, we recommend that you remove any active or persistent sessions.”
“Businesses ought to reevaluate their capacity to locate every application, even down to the process/PID level, understand their patch level, and be able to completely reset the application—that is, terminate all running or persistent sessions,” continues John Gallagher, vice president of Viakoo Labs at Viakoo. “Too many organizations have yet to patch this vulnerability, and even those who have are not fully mitigating the threat because of process-level persistence.”
Since threat actors are likely to continue targeting this bug, both CISA and Citrix’s alerts emphasized how crucial it is to isolate vulnerable appliances if patching and killing the instances isn’t an immediate option.
Chief security architect at Menlo Security Lionel Litty states, “According to Citrix, their product is used by more than 90% of the Fortune 500 companies.” “Clients that possess the ability to manipulate the IP, TCP, TLS, and HTTP protocols can directly access these devices and explore the attack surface.” Additionally, we have a pre-authentication issue with this vulnerability, which implies an attacker can target it without credentials. This attacker is gold due to the confluence of factors.”
The warnings were sent out by the organizations just before the US Thanksgiving holiday when many security teams will be operating with reduced staff. According to a recent ReliaQuest analysis, the threat still affects thousands of organizations.