Mandiant researchers have issued a warning about a critical vulnerability in Citrix Netscaler that continues to be exploited despite a patch being issued on October 10. The vulnerability, identified as CVE-2023-4966, affects Netscaler ADC and Netscaler Gateway, and has been actively exploited since at least August. Although Citrix believed the patch would prevent further attacks, Mandiant found that organizations that had applied the patch were still being targeted. Mandiant’s CTO, Charles Carmakal, has advised organizations to close all active sessions as a precautionary measure, as threat actors could potentially use stolen session data to authenticate and access resources even after the patch has been deployed.
The vulnerability allows hackers to hijack existing authenticated sessions and bypass multi-factor authentication, leading to potential data breaches. Mandiant has observed instances where session data was stolen prior to the patch being implemented and then used by hackers to exploit the vulnerability. The attacks have targeted technology and professional services companies, as well as government agencies. While the identity of the threat actor is unknown, Mandiant believes they are focused on cyber espionage and predicts financially motivated hackers may join in as well.
In response to the situation, Cybersecurity and Infrastructure Security Agency officials have deferred to Mandiant’s guidance. It is crucial for organizations to take proactive measures to protect their systems and data from this vulnerability, even after applying the patch. Ending active sessions is necessary to prevent potential exploitation and unauthorized access by threat actors. The patch issued by Citrix is effective, but additional steps must be taken to ensure the security of authenticated sessions and prevent any unauthorized access. Following the recommendations provided by Mandiant and implementing robust security measures are essential to mitigate the risks associated with this critical vulnerability.
Editor’s Note: This article has been updated to provide information on Citrix’s response and the effectiveness of the patch in addressing the CVE-2023-4966 vulnerability.
Article Source
https://www.cybersecuritydive.com/news/citrix-netscaler-patch–bypassed-hackers/696976/