'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in

Trending 1 month ago
  1. Home
  2. Security
  3. 'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in

Citrix Bleed, nan captious information-disclosure bug that affects NetScaler ADC and NetScaler Gateway, is now nether "mass exploitation," arsenic thousands of Citrix NetScaler instances stay vulnerable, according to information teams.

As of October 30, Shadowserver spotted conscionable complete 5,000 susceptible servers connected nan nationalist internet. And successful nan past week, GreyNoise observed 137 individual IP addresses attempting to utilization this Citrix vulnerability.

Citrix disclosed and issued a patch for nan flaw – CVE-2023-4966 – connected October 10. 

However, "even if you applied nan spot and rebooted, you still person a problem arsenic convention tokens persist," noted infosec watcher Kevin Beaumont, who said he had tracked conscionable complete 20,000 exploited servers arsenic of Saturday. 

Citrix, successful a consequent memo, did echo different information shops' mitigation proposal and instructed customers to kill each progressive and persistent sessions utilizing a bid of commands. But by then, nan criminals were a fewer steps ahead.

The vulnerability allows attackers to entree a device's memory, and successful that RAM find convention tokens that miscreants tin past extract and usage to impersonate an authenticated user. Thus moreover if nan spread is patched, copied tokens will stay valid unless further steps are taken.

It appears group are collecting convention tokens for illustration Pokemon

This "mass exploitation" includes astatine slightest 2 ransomware gangs, arsenic of October 30, Beaumont added. One of these crews is "distributing a python book to automate nan onslaught chain," he said. "Essentially you person a 1998 style vulnerability successful your distant entree solution. It appears group are collecting convention tokens for illustration Pokemon."

Mandiant, connected Tuesday, said it is presently tracking four abstracted uncategorized groups that are exploiting nan vulnerability crossed aggregate sectors. These see ineligible and master services, tech, and authorities agencies crossed nan Americas, Europe, Middle East, Africa and Asia-Pacific regions, predominantly utilizing these 4 tools. 

  • csvde.exe
  • certutil.exe
  • local.exe
  • nbtscan.exe

"Given nan wide take of Citrix successful enterprises globally, we fishy nan number of impacted organizations is acold greater and successful respective sectors," nan Google-owned threat-intel squad wrote successful a blog.

Mandiant besides identified a assortment of ways to cheque for exploitation wrong organizations' network. But, it warned, patterns of suspicious activity related to convention hijacking mightiness disagree from statement to organization, and nan techniques outlined arsenic follows mightiness not beryllium applicable aliases feasible successful each scenarios."

  • Citrix urges 'immediate; spot for captious NetScaler bug arsenic utilization POC made public
  • Critical Citrix bug exploited by information thieves weeks earlier being patched
  • Stop what you're doing and spot this captious Confluence flaw, warns Atlassian
  • Unpatched NGINX ingress controller bugs tin beryllium abused to bargain Kubernetes cluster secrets

Security patient Assetnote past week published a technical analysis of nan bug including a proof-of-concept that demonstrated really it could beryllium abused to bargain convention tokens, prompting an uptick successful scanning for susceptible endpoints, according to Rapid7.

And while nan US government's Cybersecurity and Infrastructure Security Agency (CISA) past Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, it still lists nan vulnerability arsenic "unknown" successful nan "used successful ransomware campaigns" column. 

Mandiant antecedently said criminals person been abusing this flaw to bargain firm info since precocious August.

While these attacks astatine nan clip were constricted to cyber espionage, "we expect different threat actors pinch financial motivations will utilization this complete time," Mandiant Consulting CTO Charles Carmakal said. And it appears that clip has come.

Citrix declined to reply The Register's questions, including if customers person reported nan bug being exploited by ransomware groups. ®

Related Article

60 US credit unions offline after ransomware infects backend cloud outfit

60 US credit unions offline after ransomware infects backend cloud outfit

1 day ago
Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

1 day ago
UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

1 day ago
US readies prison cell for another Russian Trickbot developer

US readies prison cell for another Russian Trickbot developer

1 day ago
Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

1 day ago
Interpol makes first border arrest using Biometric Hub to ID suspect

Interpol makes first border arrest using Biometric Hub to ID suspect

1 day ago

Trending

1. Texas
2. UFC
3. Kentucky basketball
4. Duke Basketball
5. Jalen Milroe
6. Boise State football
7. Suns
8. Tulane Football
9. Florida State
10. Philippines earthquake

Popular Article

These developers are doing something amazing with iPhone and iPad apps

These developers are doing something amazing with iPhone and iPad apps

12 hours ago
The best movies on Apple TV+ right now (December 2023)

The best movies on Apple TV+ right now (December 2023)

13 hours ago
7 best funny Christmas movies you should watch this holiday season

7 best funny Christmas movies you should watch this holiday season

12 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

11 hours ago
iOS 17: How to share contacts using Apple’s amazing NameDrop feature

iOS 17: How to share contacts using Apple’s amazing NameDrop feature

14 hours ago
The Game Awards 2023: how to watch and what to expect

The Game Awards 2023: how to watch and what to expect

13 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.