Governance & Risk Management , Patch Management

Ransomware Groups Exploiting Unpatched NetScaler Devices

Patch or Perish: Researchers See Mass Exploits of NetScaler ADC and Gateway Devices
Ransomware Groups Exploiting Unpatched NetScaler Devices
Attackers are actively exploiting CVE-2023-4966, aka Citrix Bleed, in NetScaler - formerly known as Citrix - devices. (Image: Assetnote)

At least two groups of ransomware-wielding attackers are among those exploiting recently patched vulnerabilities in NetScaler devices to gain initial access to victims' networks.

So warns British security researcher Kevin Beaumont, who said in a post to Mastodon that even if organizations that use NetScaler patch their devices, they can still be at risk unless they also wipe device memory. That's because otherwise, attackers can dump device memory to obtain session tokens that enable them to bypass multifactor authentication or the need to provide any login credentials to access the device.

"From talking to multiple organizations, they are seeing widespread exploitation" of what many security researchers have dubbed Citrix Bleed, which is concerning because such devices are "very, very common" in both enterprise and government networks, Beaumont said.

Formerly known as Citrix, NetScaler is the networking business of privately held Cloud Software Group, which is urging users of its at-risk devices to "immediately" patch, saying there are no workarounds or other mitigations.

Customers of NetScaler-managed cloud services or adaptive authentication services are not at risk, the company said, but any organization that manages its own NetScaler devices will be vulnerable to exploits until it updates to the latest version of the NetScaler Application Delivery Controller and NetScaler Gateway software and clears all sessions on the device.

For any organization that has configured its NetScaler ADC to serve as a gateway - this can include functioning as a VPN virtual server, ICA proxy, CVPN or RDP proxy - or as an authorization and accounting - aka AAA - server, "we urge you to install the recommended updates immediately, as this vulnerability has been identified as critical," NetScaler said in an Oct. 23 security bulletin. "In addition, we also recommend killing all active and persistent sessions."

NetScaler warned last week that "we now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability."

Patched: 2 Critical Vulnerabilities

NetScaler on Oct. 10 issued software updates designed to patch two new flaws in NetScaler ADC, formerly known as Citrix ADC, and NetScaler Gateway, formerly known as Citrix Gateway. "For those unfamiliar with Citrix NetScaler, it is a network device providing load balancing, firewall and VPN services," Australian cybersecurity firm Assetnote said in a blog post. "NetScaler Gateway usually refers to the VPN and authentication components, whereas ADC refers to the load balancing and traffic management features."

Attackers can use one critical flaw in the devices, with a CVSS score of 8.4 and tracked as CVE-2023-4967, to cause a denial of service.

The other flaw, designated CVE-2023-4966 with a CVSS score of 9.4, is the Citrix Bleed vulnerability now being remotely exploited for "sensitive information disclosure," NetScaler said. The vulnerability was discovered by NetScaler's own internal team, which on Oct. 10 reported that attackers had not appeared to be exploiting the flaw in the wild.

Subsequently, Google Cloud's Mandiant incident response group reported on Oct. 17 that after the patches had been released, it retroactively "identified zero-day exploitation of this vulnerability in the wild beginning in late August" and also "observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor."

Depending on the identity and permissions included in the stolen session data, "a threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment," it said.

Mandiant said it has seen this tactic being used to target government agencies as well as professional services and technology firms. "The most critical thing is that organizations need to do more than just apply the patch - they should also terminate all active sessions," said Mandiant CTO Charles Carmakal.

The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2023-4966 to its Known Exploited Vulnerabilities Catalog and advises federal agencies to immediately patch vulnerable devices or else "discontinue use of the product" until the devices are updated.

Threat intelligence service GreyNoise, which uses honeypots to monitor for malicious activity, is currently tracking about 130 IP addresses being used to launch attacks that attempt to exploit CVE-2023-4966.

As the vulnerability is actively being exploited in the wild, Assetnote on Wednesday published proof-of-concept exploit code, based on its review of the flaw, which identified security shortcomings.

"Like previous issues with Citrix NetScaler, the issue was made worse by a lack of other defense-in-depth techniques and mitigations," Dylan Pindur, a security researcher at Assetnote, said in a blog post.

"The two most obvious mitigations" that could be applied to "minimize the damage," Pindur said, are "clearing sensitive data from what appear to be temporary buffers" and providing "stricter validation on client-provided data."

This is the second time in recent months that attackers have launched mass exploitation campaigns targeting flaws in NetScaler Application Delivery Controller and NetScaler Gateway devices. In July, attackers began exploiting a code injection vulnerability, designated CVE-2023-3519, after Cloud Software Group issued a patch on July 18. By mid-August, at least one additional ransomware-wielding attacker was targeting CVE-2023-3519 (see: Ransomware Attack Specialist Tied to Citrix NetScaler Hacks).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.