In late 2023, Darktrace investigated the exploitation of the Citrix Bleed vulnerability on a customer’s network, utilizing their Self-Learning AI to track post-compromise activity and identify affected devices. Citrix Bleed, also known as CVE-2023-4966, has been actively exploited by cyber threat actors since August 2023, allowing them to bypass authentication requirements and potentially exfiltrate data.
The vulnerability impacts Citrix Netscaler Gateway and Netscaler ADC products, enabling attackers to hijack legitimate user sessions. Despite Citrix releasing a patch to address the vulnerability, slow patching procedures have resulted in continued exploitation of Citrix Bleed into 2024. Darktrace’s anomaly-based approach allowed them to efficiently identify and inhibit post-exploitation activity related to Citrix Bleed, detect anomalies, and escalate suspicious network activity to their SOC for investigation.
Initial access and beaconing related to Citrix Bleed were detected by Darktrace through unusual external connectivity and SSH connections to suspicious IPs linked to exploit activity. The network also observed command and control as well as payload downloads through various remote management services and tools. Defense evasion tactics were utilized, including the deletion of security tools and suspicious file transfers.
Reconnaissance and lateral movement activities followed the initial compromise, with devices engaging in network scanning, service control, SMB writes, and attempted NTLM brute-forcing. Darktrace’s AI identified devices performing suspicious actions like querying endpoints, using administrative credentials, and transferring tools through SMB. Data exfiltration events involved transferring large volumes of data to external storage sites, totaling over 8.5 GB. Unusual user account actions in the customer’s SaaS environment were also detected.
Had the customer enabled Darktrace RESPOND™, the post-exploitation activity could have been contained promptly by blocking external connections and preventing data exfiltration. Citrix Bleed remains a significant vulnerability affecting organizations, and Darktrace’s approach to threat detection using AI and anomaly-based methodologies can help identify and mitigate emerging threats.
In conclusion, Darktrace’s investigation into the exploitation of Citrix Bleed showcases the importance of proactive threat detection and response mechanisms to safeguard networks from evolving cyber threats. The ability to track and inhibit malicious activity through AI-driven analysis allows organizations to stay ahead of potential breaches and protect their critical assets.
Article Source
https://darktrace.com/blog/stemming-the-citrix-bleed-vulnerability-with-darktraces-activeai-platform