Citrix has provided additional measures for administrators patching NetScaler devices against the CVE-2023-4966 vulnerability. They are now urging administrators to log out all users and end all active sessions after applying the patch. It is essential for users of the affected builds listed in the security bulletin to update immediately to the latest versions. Mandiant researchers have observed threat actors exploiting this vulnerability since August, using it to hijack authenticated sessions and bypass multi-factor authentication. These sessions may persist even after applying the patch, allowing threat actors to steal session data. The attacks have targeted various organizations, including professional services, technology, and government entities.
The US CISA has warned of active exploitation by both nation-state hackers and cybercriminal groups. The agency has shared TTP and IOC linked to LockBit 3.0 affiliates exploiting CVE-2023-4966. CISA, FBI, MS-ISAC, and the Australian Cyber Security Center have jointly published a document providing guidance and detection methods for dealing with the Citrix Bleed vulnerability. It is crucial for administrators to update to the latest versions of NetScaler ADC and NetScaler Gateway to mitigate the risks associated with this vulnerability.
Article Source
https://securityaffairs.com/154546/hacking/citrix-bleed-attacks.html
