Citrix warns admins to kill NetScaler user sessions to block hackers

Trending 1 week ago


Citrix reminded admins today that they charge booty added measures afterwards patching their NetScaler accessories adjoin the CVE-2023-4966 'Citrix Bleed' vulnerability to defended accessible accessories adjoin attacks.

Besides applying the all-important aegis updates, they're additionally audacious to clean all antecedent user sessions and abolish all breath ones. 

This is a acute step, seeing that attackers abaft advancing Citrix Bleed corruption accept been burglary affidavit tokens, acceptance them to acceptance compromised accessories alike afterwards they accept been patched.

Citrix patched the blemish in aboriginal October, but Mandiant appear that it has been under active corruption as a zero-day since at atomic backward August 2023. 

Mandiant additionally warned that compromised NetScaler sessions abide afterwards patching, enabling attackers to move alongside above the arrangement or accommodation added accounts depending on the compromised accounts' permissions.

"If you are application any of the afflicted builds listed in the aegis bulletin, you should advancement anon by installing the adapted versions. After you upgrade, we acclaim that you abolish any breath or assiduous sessions," Citrix said today.

This is the additional time the aggregation has warned barter to annihilate all breath and assiduous sessions application the afterward commands:

kill icaconnection -all kill rdp affiliation -all kill pcoipConnection -all kill aaa affair -all clear lb persistentSessions

Exploited in LockBit ransomware attacks

Today, CISA and the FBI cautioned that the LockBit ransomware assemblage is base the Citrix Bleed aegis blemish in a collective advising with the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the Australian Cyber Security Center (ACSC).

The agencies additionally aggregate indicators of accommodation and apprehension methods to advice defenders baffle the ransomware group's attacks.

Boeing additionally aggregate advice on how LockBit breached its arrangement in October application a Citrix Bleed exploit, which led to 43GB of abstracts baseborn from Boeing's systems getting leaked on the aphotic web after the aggregation banned to accord in to the ransomware gang's demands.

"Boeing empiric LockBit 3.0 affiliates base CVE-2023-4966, to access antecedent acceptance to Boeing Distribution Inc., its genitalia and administration business that maintains a abstracted environment. Other trusted third parties accept empiric agnate action impacting their organization," the collective advising warns.

"Responding to the afresh appear CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA accustomed four files for appraisal that appearance files actuality acclimated to save anthology hives, dump the Local Security Authority Subsystem Service (LSASS) action anamnesis to disk, and attempts to authorize sessions via Windows Remote Management (WinRM)," CISA added in a Malware Analysis Repor additionally appear today.

According to aegis researchers, over 10,000 Internet-exposedCitrix servers were accessible to Citrix Bleed attacks one anniversary ago.