Skip Navigation

November 23, 2023 |

Citrix NetScaler users urged to kill user sessions to stop the bleed

Loading table of contents...

Citrix is urging users of its NetScaler ADC and Gateway products to kill all previous and active user sessions in addition to patching systems vulnerable to CVE-2023-4966, now nicknamed “Citrix Bleed.” The extra mitigation step is to prevent tokens stolen by threat actors during Citrix Bleed compromises from being used to enable persistent access even after the device is patched.

The fresh warning coincides with the release of a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) that contains indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and detection methods associated with ransomware actor LockBit 3.0’s exploitation of the Citrix Bleed vulnerability.

Lockbit was recently attributed to a successful Citrix Bleed exploitation on a Boeing subsidiary, which led to 43GB of the company’s data being leaked on the dark web after it refused to pay the demanded ransom.

Source: Bleeping Computer

Analysis

One of the first actions threat actors take post-exploitation is to attempt to establish persistent access to the vulnerable device. This includes stealing tokens, cookies, and session IDs that can be used as long as they remain valid, even if the initial vulnerability that was exploited has been patched.

As a result, network defenders need to ensure that they not only patch devices, but also identify and eliminate all available methods threat actors can use to continue exploitation.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices like Citrix NetScaler ADC and Gateway. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when devices are detected in their environment and are encouraged to review these AROs as quickly as possible.

Users of Citrix NetScaler ADC and Gateway devices should apply the latest security patch as soon as possible. Additionally, users should terminate all sessions post-upgrade in case they have been compromised and inspect access logs for suspicious activity and the IoCs provided by CISA/FBI.

Related articles