Citrix

Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 'Citrix Bleed' vulnerability to secure vulnerable devices against attacks.

Besides applying the necessary security updates, they're also advised to wipe all previous user sessions and terminate all active ones. 

This is a crucial step, seeing that attackers behind ongoing Citrix Bleed exploitation have been stealing authentication tokens, allowing them to access compromised devices even after they have been patched.

Citrix patched the flaw in early October, but Mandiant revealed that it has been under active exploitation as a zero-day since at least late August 2023. 

Mandiant also warned that compromised NetScaler sessions persist after patching, enabling attackers to move laterally across the network or compromise other accounts depending on the compromised accounts' permissions.

"If you are using any of the affected builds listed in the security bulletin, you should upgrade immediately by installing the updated versions. After you upgrade, we recommend that you remove any active or persistent sessions," Citrix said today.

This is the second time the company has warned customers to kill all active and persistent sessions using the following commands:

kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions

Exploited in LockBit ransomware attacks

Today, CISA and the FBI cautioned that the LockBit ransomware gang is exploiting the Citrix Bleed security flaw in a joint advisory with the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the Australian Cyber Security Center (ACSC).

The agencies also shared indicators of compromise and detection methods to help defenders thwart the ransomware group's attacks.

Boeing also shared information on how LockBit breached its network in October using a Citrix Bleed exploit, which led to 43GB of data stolen from Boeing's systems getting leaked on the dark web after the company refused to give in to the ransomware gang's demands.

"Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization," the joint advisory warns.

"Responding to the recently disclosed CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempts to establish sessions via Windows Remote Management (WinRM)," CISA added in a Malware Analysis Report also published today.

According to security researchers, over 10,000 Internet-exposedCitrix servers were vulnerable to Citrix Bleed attacks one week ago.

Related Articles:

French hospital CHC-SV refuses to pay LockBit extortion demand

Change Healthcare hacked using stolen Citrix account with no MFA

New ScreenConnect RCE flaw exploited in ransomware attacks

LockBit ransomware affiliate gets four years in jail, to pay $860k

CISA urges software devs to weed out path traversal vulnerabilities