Darktrace investigated the exploitation of the Citrix Bleed vulnerability on a customer network in late 2023. Citrix Bleed, also known as CVE-2023-4966, is a critical vulnerability that allows threat actors to hijack user sessions, bypassing authentication requirements. Darktrace’s AI detected post-exploitation activity related to Citrix Bleed and alerted the customer’s security team.
The vulnerability impacts Citrix Netscaler Gateway and Netscaler ADC products, leading to data exfiltration and ransomware attacks. Despite Citrix releasing a patch, slow adoption has allowed for continued exploitation. Darktrace’s anomaly-based approach enables it to identify compromises like Citrix Bleed by monitoring behavioral changes in devices.
In the investigation, Darktrace identified suspicious external connectivity from a server to rare IP addresses associated with Citrix Bleed exploitation. Subsequent activity included command and control communication, payload downloads, defense evasion tactics, reconnaissance, lateral movement, and data exfiltration. The threat actor exfiltrated over 8.5 GB of data using file storage services.
Darktrace’s AI Analyst identified multiple indicators of compromise, including SMB scanning, NTLM reconnaissance, brute-force attempts, and suspicious file transfers. The AI mapped the attack techniques to MITRE ATT&CK framework categories, enabling a comprehensive understanding of the threat landscape.
The lack of enabled response capabilities allowed the post-exploitation activity to progress unchecked until Darktrace’s SOC intervened. Had Darktrace RESPOND™ been active, it could have contained the attack by blocking connections, shutting down C2 activities, and enforcing security policies.
The blog highlights Darktrace’s ability to track and inhibit malicious activity stemming from Citrix Bleed exploitation, aiding organizations in identifying affected devices and taking remedial actions. Darktrace’s unique approach to threat detection differentiates it from traditional security tools, as it can detect emerging threats without relying on existing intelligence or signatures.
The widespread use of Citrix products makes vulnerabilities like Citrix Bleed a continued threat to organizations. Darktrace’s proactive detection capabilities provide a crucial defense against evolving cyber threats, ensuring customers are well-equipped to defend against sophisticated attacks.
Article Source
https://darktrace.com/es/blog/stemming-the-citrix-bleed-vulnerability-with-darktraces-activeai-platform