Amid Citrix Bleed Exploits, NetScaler Warns: Kill SessionsLockBit and Nation-State Groups Using Session Tokens to Access Patched Devices
With experts warning that unpatched NetScaler devices are being exploited by nation-state and cybercrime groups, the manufacturer has again urged all users to "patch immediately, among other security steps.
The alert applies to all self-managed NetScaler Application Delivery Controller and Gateway devices - owned by privately held Cloud Software Group, which counts NetScaler and Citrix as business units.
NetScaler on Oct. 10 issued a security alert and patch for CVE-2023-4966, a critical vulnerability also known as Citrix Bleed, which affects both NetScaler ADC and Gateway products, formerly known as Citrix ADC and Citrix Gateway. Subsequently, both the U.S. Cybersecurity and Infrastructure Security Agency and Google Cloud's Mandiant threat intelligence unit reported attackers had been actively exploiting the flaw in the wild prior to the release of the patch.
NetScaler on Monday issued an alert in the wake of reports that multiple groups, including the LockBit ransomware group, have been exploiting unpatched NetScaler devices. Doing so allows attackers not only to gain remote access but also to steal session tokens they can use to access the devices later, even post-patch.
Every NetScaler ADC and Gateway device was potentially hacked, prior to the patch being released, experts warn. "Somebody harvested session tokens from almost every box on the internet," British security researcher Kevin Beaumont said Monday in a post to Mastodon.
Beaumont reported on Nov. 13 seeing LockBit "breaching some of the world's largest organizations" by using the vulnerability. "This has been done in a coordinated fashion amongst multiple LockBit operators - a strike team to break into organizations using Citrix Bleed and then hold them to ransom."
Citrix Bleed enables attackers to extract valid session tokens from vulnerable internet-connected devices. "The compromised session tokens can then be used to impersonate active sessions, which bypass authentication - even multifactor - and gain complete access to the appliance," the Financial Services Information Sharing and Analysis Center warned in an alert issued last week. "This vulnerability can still occur even if the vulnerability is patched and rebooted, as copied tokens will remain valid unless further steps are taken."
Advanced persistent threat groups have also been targeting the flaw, warned Eric Goldstein, CISA's executive assistant director. "We are aware that a wide variety of malicious actors, including both nation-state and criminal groups, are focused on leveraging the Citrix Bleed vulnerability," he told Bloomberg News. CISA said it has been actively assisting victims with remediation.
Threat intelligence firm GreyNoise reported seeing a steady volume of attempts to exploit CVE-2023-4966. Beaumont last week said he had counted 5,000 organizations running unpatched NetScaler ADC or Gateway or devices.
Making Citrix Bleed
Attackers have been exploiting Citrix Bleed to gain access to victims' networks, leading to post-intrusion activities that "include - but are not limited to - network reconnaissance, theft of account credentials, lateral movement via RDP, deployment of remote monitoring and management tools, and high-profile ransomware infections from LockBit," FS-ISAC said.
"This vulnerability allows the bypass of all multifactor authentication controls and provides a point-and-click desktop PC within the impacted victim's internal network via VDI - think remote desktop or RDP," Beaumont said, referring to the remote desktop protocol used to facilitate remote access to a system.
NetScaler on Monday urged any organization that has yet to patch its devices, terminate or invalidate all active sessions and review its logs for signs of prior compromise to do so immediately. "With the holidays and year-end change freezes approaching, we strongly urge NetScaler customers to follow our remediation guidance for CVE-2023-4966" as well as best practices for securing these devices, it said.
"The essential point is: Run the commands to kill active sessions," Beaumont said.
A multi-agency advisory released Tuesday by CISA, the FBI and the Australian Cyber Security Center details tactics, techniques and procedures as well as indicators of compromise seen by one recent high-profile victim of LockBit affiliates who exploited CVE-2023-4966: Boeing. Earlier this month, the aerospace giant confirmed suffering a "cyber incident" after LockBit claimed to have breached its parts and distribution business.*
In the advisory, CISA and its partner agencies said they "encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs" they're sharing. "If a potential compromise is detected, organizations should apply the incident response recommendations," they said. "If no compromise is detected, organizations should immediately apply patches made publicly available."
*Nearly 300 organizations that take part in CISA's vulnerability warning program appeared to be running vulnerable instances of devices, Goldstein told reporters during a Tuesday phone call. Goldstein said the agency notified each of the organizations "so that they can mitigate their vulnerabilities before harm occurs."
He added that enhanced information sharing efforts also helped mitigate the impact and noted how Boeing "provided robust technical information" about their subsidiaries' incidents which allowed CISA to more effectively provide guidance "to protect thousands of other organizations around the world."
"That is precisely the kind of collaboration that we will want and need to see from victims of cyber intrusions," Goldstein said.
Senior CISA and FBI officials declined to provide information on possible nation-states or foreign actors that have been identified as attempting to exploit the vulnerabilities.
FS-ISAC also recommends that all organizations "check whether attackers left behind web shells or backdoors, and secure their systems," regardless of when they patched, since the vulnerability was being exploited before NetScaler released a fix.
NetScaler also published recommendations to help users investigate exploits of CVE-2023-4966 inside their environment. Among other advice, it said users should "look for patterns of suspicious session use in your organizations' monitoring and visibility tools, particularly relating to virtual desktops if you have these configured."
*Updated Nov. 21, 2023 19:46 UTC: Adds comments from media briefing with senior CISA and FBI officials following the release of the joint cybersecurity advisory.
With reporting by Information Security Media Group's Chris Riotta in Washington, D.C.