Article Details

Hackers use Citrix Bleed flaw in attacks on govt networks worldwide. Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. Researchers from Mandiant report that four ongoing campaigns target vulnerable Citrix NetScaler ADC and Gateway appliances, with attacks underway since late August 2023. The security company has seen post-exploitation activity related to credential theft and lateral movement, warning that exploitation leaves behind limited forensic evidence, making these attacks particularly stealthy. Citrix Bleed The Citrix Bleed CVE-2023-4966 vulnerability was disclosed on October 10 as a critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway, allowing access to sensitive information on the devices. A week after a fix was made available, Mandiant revealed the flaw was a zero-day under active exploitation since late August, with hackers leveraging it to hijack existing authenticated sessions and bypass multifactor protection. Attackers used specially crafted HTTP GET requests to force the appliance to return system memory contents, which include a valid Netscaler AAA session cookie issued post-authentication and after MFA checks. Hackers who steal these authentication cookies can then access the device without performing an MFA verification again. Citrix followed up with a second warning to admins, urging them to secure their systems against the ongoing attacks, which were low-complexity and didn't require any user interaction. On October 25, AssetNote researchers released a proof-of-concept (PoC) exploit demonstrating how to hijack a NetScaler account via session token theft. Ongoing attacks Mandiant explains that the lack of logging on the appliances makes investigating the exploitation of CVE-2023-3966 challenging, requiring web application firewalls (WAF) and other network traffic monitoring appliances to log traffic and determine if a device was exploited. Unless a network uses this type of monitoring before an attack, it prevents any historical analysis and limits researchers to real-time observations. Even post-exploitation, the attackers remain stealthy, employing living-off-the-land techniques and common administrative tools like net.exe and netscan.exe to blend with daily operations. Mandiant was able to identify exploitation attempts and session hijacking via one of the following pathways: Attack goals After exploiting CVE-2023-4966, the attackers engaged in network reconnaissance, stealing account credentials and moving laterally via RDP. The tools the threat actors use at this phase are the following: Although many of the above are commonly found in enterprise environments, their combined deployment may be a sign of compromise, and tools like FREEFIRE are clear indications of a breach. The researchers have released a Yara rule that can be used to detect FREE FIRE on a device. Mandiant says the four threat actors that exploit CVE-2023-4966 in various campaigns show some overlap in the post-exploitation stage. All four extensively used csvde.exe, certutil.exe, local.exe, and nbtscan.exe, while two activity clusters were seen using Mimikatz. Applying the available security updates does not address existing breaches, and thus, a full incident response is required. For advice on system restoration, check out Mandiant's remediation guide.