'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in

Trending 1 month ago

Citrix Bleed, nan captious information-disclosure bug that affects NetScaler ADC and NetScaler Gateway, is now nether "mass exploitation," arsenic thousands of Citrix NetScaler instances stay vulnerable, according to information teams.

As of October 30, Shadowserver spotted conscionable complete 5,000 susceptible servers connected nan nationalist internet. And successful nan past week, GreyNoise observed 137 individual IP addresses attempting to utilization this Citrix vulnerability.

Citrix disclosed and issued a patch for nan flaw – CVE-2023-4966 – connected October 10. 

However, "even if you applied nan spot and rebooted, you still person a problem arsenic convention tokens persist," noted infosec watcher Kevin Beaumont, who said he had tracked conscionable complete 20,000 exploited servers arsenic of Saturday. 

Citrix, successful a consequent memo, did echo different information shops' mitigation proposal and instructed customers to kill each progressive and persistent sessions utilizing a bid of commands. But by then, nan criminals were a fewer steps ahead.

The vulnerability allows attackers to entree a device's memory, and successful that RAM find convention tokens that miscreants tin past extract and usage to impersonate an authenticated user. Thus moreover if nan spread is patched, copied tokens will stay valid unless further steps are taken.

It appears group are collecting convention tokens for illustration Pokemon

This "mass exploitation" includes astatine slightest 2 ransomware gangs, arsenic of October 30, Beaumont added. One of these crews is "distributing a python book to automate nan onslaught chain," he said. "Essentially you person a 1998 style vulnerability successful your distant entree solution. It appears group are collecting convention tokens for illustration Pokemon."

Mandiant, connected Tuesday, said it is presently tracking four abstracted uncategorized groups that are exploiting nan vulnerability crossed aggregate sectors. These see ineligible and master services, tech, and authorities agencies crossed nan Americas, Europe, Middle East, Africa and Asia-Pacific regions, predominantly utilizing these 4 tools. 

  • csvde.exe
  • certutil.exe
  • local.exe
  • nbtscan.exe

"Given nan wide take of Citrix successful enterprises globally, we fishy nan number of impacted organizations is acold greater and successful respective sectors," nan Google-owned threat-intel squad wrote successful a blog.

Mandiant besides identified a assortment of ways to cheque for exploitation wrong organizations' network. But, it warned, patterns of suspicious activity related to convention hijacking mightiness disagree from statement to organization, and nan techniques outlined arsenic follows mightiness not beryllium applicable aliases feasible successful each scenarios."

  • Citrix urges 'immediate; spot for captious NetScaler bug arsenic utilization POC made public
  • Critical Citrix bug exploited by information thieves weeks earlier being patched
  • Stop what you're doing and spot this captious Confluence flaw, warns Atlassian
  • Unpatched NGINX ingress controller bugs tin beryllium abused to bargain Kubernetes cluster secrets

Security patient Assetnote past week published a technical analysis of nan bug including a proof-of-concept that demonstrated really it could beryllium abused to bargain convention tokens, prompting an uptick successful scanning for susceptible endpoints, according to Rapid7.

And while nan US government's Cybersecurity and Infrastructure Security Agency (CISA) past Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, it still lists nan vulnerability arsenic "unknown" successful nan "used successful ransomware campaigns" column. 

Mandiant antecedently said criminals person been abusing this flaw to bargain firm info since precocious August.

While these attacks astatine nan clip were constricted to cyber espionage, "we expect different threat actors pinch financial motivations will utilization this complete time," Mandiant Consulting CTO Charles Carmakal said. And it appears that clip has come.

Citrix declined to reply The Register's questions, including if customers person reported nan bug being exploited by ransomware groups. ®