Security researchers have observed an unnamed threat actor exploiting a critical vulnerability in Citrix NetScaler ADC and Gateway devices belonging to governments and technology companies.
The bug, designated CVE-2023-4966, allows threat actors to hijack authenticated sessions from Citrix devices serving as the gateway for authentication, authorization, and accounting virtual servers. Threat actors can then use the stolen authenticated sessions to bypass multifactor authentication or other strong authentication parameters as long as they remain valid, even after the vulnerability has been patched.
While a patch for the vulnerability was released last week, threat actors have been observed exploiting the vulnerability as early as August 2023.
Source: Bleeping Computer
Analysis
Citrix’s NetScaler devices have a long track record of being exploited by nation-state actors and cybercriminals alike.
In July 2023, Citrix urged NetScaler ADC and Gateway users to update to the latest versions as soon as possible to address three security vulnerabilities amid reports they were being actively exploited in the wild.
In 2019, APT 29, a group attributed to Russia’s Foreign Intelligence Service (SVR), exploited flaws in NetScaler ADC and Gateway devices to perform arbitrary code execution and deploy various malicious payloads, leading to the compromise of sensitive information and data.
Worse yet, in 2020, a ransomware attack exploiting Citrix vulnerability CVE-2019-19781 impacted the availability of systems at the University Hospital of Dusseldorf, resulting in the death of a patient.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices like Citrix NetScaler ADC and Gateway. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the exploitation of these vulnerabilities.
Covalence users are automatically notified when devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Users of Citrix NetScaler ADC and Gateway devices should apply the latest security patch as soon as possible. Additionally, users should terminate all sessions post-upgrade in case they have been compromised and inspect access logs for suspicious activity.
Related articles
