Citrix has provided additional measures for administrators addressing the Citrix Bleed vulnerability, urging them to log users out of NetScaler after patching against CVE-2023-4966. The company advises dropping all active user sessions and ending persistent ones. It also recommends updating to the latest versions of affected builds and deleting active or persistent sessions using specific commands. Citrix had initially urged administrators to protect NetScaler ADC and Gateway appliances against the malware exploiting the CVE-2023-4966 vulnerability. Mandiant researchers observed exploitation of this zero-day vulnerability since late August, allowing threat actors to hijack authenticated sessions and bypass multi-factor authentication. These sessions could persist even after applying an update to mitigate CVE-2023-4966. Mandiant noted that threat actors were hijacking sessions to steal data before deploying a patch and using it later. The attacks targeted professional services, technology, and government organizations, prompting the release of a Guidance Document CVE-2023-4966 from the security firm. The UC CISA warned of active exploitation by nation-state hackers and cybercriminal gangs, providing TTP and IOC shared by Boeing related to an intrusion by LockBit 3.0 affiliates exploiting CVE-2023-4966, known as Citrix Bleed. The joint advice published by CISA, FBI, MS-ISAC, and ACSC of ASD provides details on cybersecurity measures to address the ransomware affecting Citrix NetScaler ADC and Gateway devices. For more security updates, follow Pierluigi Paganini on Twitter, Facebook, and Mastodon.
Article Source
https://securityaffairs.com/154546/hacking/citrix-bleed-attacks.html?amp
