CVE-2023-4966 vulnerability becomes a global problem

Threat researcher Kevin Beaumont has been tracking attacks against various companies, including the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing, and found they had something in common.

ADVERTISEMENT

These were exposed Citrix servers vulnerable to the Citrix Bleed flaw, which he says the LockBit ransomware gang is exploiting attacks. This was further confirmed by the Wall Street Journal, which obtained an email from the U.S. Treasury sent to select financial service providers, mentioning that LockBit was responsible for the cyberattack on ICBC, which was achieved by exploiting the Citrix Bleed flaw.

What is Citrix Bleed?

Citrix Bleed was disclosed on October 10 as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling access to sensitive device information.

Mandiant reported that threat actors started exploiting Citrix Bleed in late August when the security flaw was still a zero-day. In the attacks, hackers used HTTP GET requests to obtain Netscaler AAA session cookies after the multi-factor authentication stage (MFA).

Citrix urged admins to protect systems from this low-complexity, no-interaction attacks. On October 25, external attack surface management company AssetNote released a proof-of-concept exploit demonstrating how session tokens can be stolen.

CVE-2023-4966 has become a severe problem

At the time of writing, more than 10,400 Citrix servers are vulnerable to CVE-2023-4966, according to findings from Japanese threat researcher Yutaka Sejiyama shared with BleepingComputer.

The majority of the servers, 3,133, are in the U.S., followed by 1,228 in Germany, 733 in China, 558 in the U.K., 381 in Australia, 309 in Canada, 301 in France, 277 in Italy, 252 in Spain, 244 in the Netherlands, and 215 in Switzerland.

Sejiyama’s scans have revealed vulnerable servers in large and critical organizations in the above and many other countries, all of which remain unpatched over a full month following the public disclosure of the critical flaw.

CVE-2023-4966 exposes Citrix Bleed to attack around 3,133 servers

How to protect yourself from the Citrix Bleed vulnerability

Here are the steps you can take to protect yourself from CVE-2023-4966:

  1. Update your NetScaler ADC and NetScaler Gateway builds to the recommended versions. You can find these versions in the security bulletin
  2. Kill all active and persistent sessions. You can do this by using the following commands:
    • kill icaconnection -all
    • kill rdp connection -all
    • kill pcoipConnection -all
    • kill aaa session -all
    • clear lb persistentSessions
  3. Follow the NetScaler secure configuration and deployment guide as this guide can help you to configure your NetScaler devices in a way that is more secure

Organizations and users should also consider using a zero-trust security model, implementing a robust data loss prevention (DLP) solution, and educating employees about ransomware and how to identify and avoid phishing attacks.

Advertisement