Security

Cyber-crime

'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in

At least two extortion gangs abusing CVE-2023-4966, we're told


Citrix Bleed, the critical information-disclosure bug that affects NetScaler ADC and NetScaler Gateway, is now under "mass exploitation," as thousands of Citrix NetScaler instances remain vulnerable, according to security teams.

As of October 30, Shadowserver spotted just over 5,000 vulnerable servers on the public internet. And in the past week, GreyNoise observed 137 individual IP addresses attempting to exploit this Citrix vulnerability.

Citrix disclosed and issued a patch for the flaw – CVE-2023-4966 – on October 10. 

However, "even if you applied the patch and rebooted, you still have a problem as session tokens persist," noted infosec watcher Kevin Beaumont, who said he had tracked just over 20,000 exploited servers as of Saturday. 

Citrix, in a subsequent memo, did echo other security shops' mitigation advice and instructed customers to kill all active and persistent sessions using a series of commands. But by then, the criminals were a few steps ahead.

The vulnerability allows attackers to access a device's memory, and in that RAM find session tokens that miscreants can then extract and use to impersonate an authenticated user. Thus even if the hole is patched, copied tokens will remain valid unless further steps are taken.

It appears people are collecting session tokens like Pokemon

This "mass exploitation" includes at least two ransomware gangs, as of October 30, Beaumont added. One of these crews is "distributing a python script to automate the attack chain," he said. "Essentially you have a 1998 style vulnerability in your remote access solution. It appears people are collecting session tokens like Pokemon."

Mandiant, on Tuesday, said it is currently tracking four separate uncategorized groups that are exploiting the vulnerability across multiple sectors. These include legal and professional services, tech, and government agencies across the Americas, Europe, Middle East, Africa and Asia-Pacific regions, predominantly using these four tools. 

"Given the widespread adoption of Citrix in enterprises globally, we suspect the number of impacted organizations is far greater and in several sectors," the Google-owned threat-intel team wrote in a blog.

Mandiant also identified a variety of ways to check for exploitation within organizations' network. But, it warned, patterns of suspicious activity related to session hijacking might differ from organization to organization, and the techniques outlined as follows might not be applicable or feasible in all scenarios."

Security firm Assetnote last week published a technical analysis of the bug including a proof-of-concept that demonstrated how it could be abused to steal session tokens, prompting an uptick in scanning for vulnerable endpoints, according to Rapid7.

And while the US government's Cybersecurity and Infrastructure Security Agency (CISA) last Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, it still lists the vulnerability as "unknown" in the "used in ransomware campaigns" column. 

Mandiant previously said criminals have been abusing this flaw to steal corporate info since late August.

While these attacks at the time were limited to cyber espionage, "we anticipate other threat actors with financial motivations will exploit this over time," Mandiant Consulting CTO Charles Carmakal said. And it appears that time has come.

Citrix declined to answer The Register's questions, including if customers have reported the bug being exploited by ransomware groups. ®

Send us news
3 Comments

Citrix goes shopping in Europe and returns with gifts for security-conscious customers

Acquires two companies that help those on the nice list keep naughty list types at bay

Russia arrests one of its own – a cybercrime suspect on FBI's most wanted list

The latest in an unusual change of fortune for group once protected by the Kremlin

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

RansomHub claims to net data hat-trick against Bologna FC

Crooks say they have stolen sensitive files on managers and players

Heart surgery device maker's security bypassed, data encrypted and stolen

Sounds like th-aorta get this sorted quickly

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

ShinyHunters-linked heist thought to have been ongoing since March

Major energy contractor reports 'limited' access to IT after ransomware locks files

ENGlobal customers include the Pentagon as well as major oil and gas producers

BT Group confirms attackers tried to break into Conferencing division

Sensitive data allegedly stolen from US subsidiary following Black Basta post

AWS unveils cloud security IR service for a mere $7K a month

Tap into the infinite scalability... of pricing

Data on 760K workers from Xerox, Nokia, BofA, Morgan Stanley and more dumped online

Yet another result of the MOVEit mess