Citrix Bleed: Mass exploitation in progress (CVE-2023-4966)

CVE-2023-4966, aka “Citrix Bleed”, a critical information disclosure vulnerability affecting Citrix NetScaler ADC/Gateway devices, is being massively exploited by threat actors.

According to security researcher Kevin Beaumont’s cybersecurity industry sources, one ransomware group has already distributed a Python script to automate the attack chain to their operators, and other groups have started leveraging a working exploit.

CVE-2023-4966 exploited

Threat actors have been quick to leverage vulnerabilities in Citrix NetScaler ADC in the past, and this vulnerability is obviously no exception.

CVE-2023-4966 is a remotely and easily exploitable vulnerability that allows attackers to grab valid session tokens from internet-facing vulnerable Netscaler devices’ memory. The compromised session tokens can then be used to hijack active sessions, i.e., to effectively bypass authentication – even multi-factor authentication – and gain unfettered access to the appliance.

Citrix published a related security advisory on October 10, pointing to security updates and urging customers to implement them quickly.

A week later, Mandiant researchers revealed that the vulnerability has been exploited as a zero-day by attackers since late August 2023, to attack professional services, technology, and government organizations.

Mandiant pointed out that updating vulnerable devices is not enough to boot the attackers from them – they advised admins to terminate all active sessions and check whether the attackers left behind web shells or backdoors.

A more recent blog post by Netscaler explains how to do the former.

Finding out whether your devices have been compromised

“Due to the lack of available log records or other artifacts of exploitation activity, as a precaution, organizations should consider rotating credentials for identities that were provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance,” Mandiant researchers noted.

But since more widespread attacks started happening (after Assetnote researchers published a proof-of-concept exploit script on October 25), some things are recorded in web access logs that can point to compromise.

“Most of the threat actors are using a Python script that then posts the stolen session keys to /logon/LogonPoint/Authentication/GetUserName — so you’ll see that traffic,” Beaumont noted.

“If you see that traffic from the [120+ attack IPs documented by GreyNoise], you might want to invalidate session tokens ASAP. Another good one to do is look for GetUserName combined with python in the User Agent field, or just GetUserName before an actual login request — both should never happen.”

UPDATE (November 2, 2023, 10:30 a.m. ET):

Mandiant incident responders have been investigating multiple instances of successful exploitation of CVE-2023-4966, have shared associated artifacts and noted the post-intrusion activities the attackers have engaged in (network reconnaissance, theft of account credentials, lateral movement via RDP, deployment of remote monitoring and management tools).

“Mandiant is investigating intrusions across multiple verticals, including legal and professional services, technology, and government organizations. Given the widespread adoption of Citrix in enterprises globally, we suspect the number of impacted organizations is far greater and in several sectors. The victims have been in the Americas, EMEA, and APJ as of writing,” they said.