Citrix disclosed a critical vulnerability in its NetScaler technology last month, which may have contributed to this week's disruptive ransomware attack on the world's largest bank, the PRC's Industrial and Commercial Bank of China (ICBC). The incident emphasises the importance for businesses, if they haven't already, to patch against the threat promptly.
Numerous on-premises Citrix NetScaler ADC and NetScaler Gateway application delivery platforms are impacted by the so-called "CitrixBleed" vulnerability (CVE-2023-4966).
According to the CVSS 3.1 severity scale, the vulnerability allows attackers the ability to gain control of user sessions and steal private data, with a score of 9.4 out of a possible 10. Citrix has stated that there is no user interaction required, low attack complexity, and remote exploitability linked with the vulnerability.
A few weeks prior to Citrix releasing updated versions of the impacted software on October 10, mass CitrixBleed Exploitation Threat actors had been actively utilising the vulnerability since August. Organisations are also strongly advised to end all active sessions on each impacted NetScaler device by Mandiant researchers who found and reported the flaw to Citrix.
Exploitation of Mass Citrix Bleeding
Before Citrix released updated versions of the compromised software on October 10, threat actors had been actively exploiting the vulnerability since August. Due to the possibility that authenticated sessions may continue after the update, Mandiant researchers who found and notified Citrix of the vulnerability have also strongly advised that organisations end all active sessions on each impacted NetScaler device.
One clear public instance of the exploit activity is the ransomware attack on the US branch of the state-owned ICBC. The bank said that some of its systems were disrupted by a ransomware attack that occurred on November 8 in a statement earlier this week. The Financial Times and other media outlets cited sources who told them that the attackers were LockBit ransomware operators.
On November 6, security researcher Kevin Beaumont identified one possible attack vector for the LockBit actors: an unpatched Citrix NetScaler at the ICBC box.
"As of writing this toot, over 5,000 orgs still haven't patched #CitrixBleed," Beaumont stated. "It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs — it gives attackers a fully interactive Remote Desktop PC [on] the other end."
Recent weeks have seen an increase in the mass exploitation of attacks against unmitigated NetScaler devices. At least part of the activity has been spurred by publicly available technical details of the flaw.
At least four organised threat groups are reportedly focusing on the vulnerability, according to a ReliaQuest report this week. A group of them has automated CitrixBleed exploitation. In the short time between November 7 and November 9, ReliaQuest reported seeing "multiple unique customer incidents featuring Citrix Bleed exploitation".
CISA issues CitrixBleed guidance
The exploit activity compelled the US Cybersecurity and Infrastructure Security Agency (CISA) to publish new CitrixBleed threat guidance and resources this week. CISA issued a warning about "active, targeted exploitation" of the bug, urging organisations to "update unmitigated appliances to the updated versions" released by Citrix last month.
The vulnerability is a buffer overflow issue that allows sensitive information to be disclosed. It affects NetScaler on-premises versions when configured as an Authentication, Authorization, and Accounting (AAA) or gateway device such as a VPN virtual server, ICA, or RDP Proxy.