The Cybersecurity and Infrastructure Security Agency is urging organizations to address an active vulnerability in Citrix NetScaler ADC and NetScaler Gateway, known as CitrixBleed, which could lead to session hijacking. Despite a patch being released on Oct. 10, exploitation of the vulnerability has been increasing, with Rapid7 researchers observing ongoing attacks in sectors such as retail, healthcare, and manufacturing.
There are concerns that the LockBit threat group, which has previously targeted Boeing, could also be exploiting CitrixBleed. Boeing has confirmed a cyber incident affecting its distribution and parts business, but assures that it does not impact flight safety. The company is working with authorities to investigate the incident while notifying customers and suppliers.
Citrix has acknowledged credible reports of session hijacking and targeted attacks related to the vulnerability, CVE-2023-4966. Security researchers are warning that the slow response to patches and inadequate protection could be contributing to widespread exploitation. System administrators are being urged to prioritize patching to prevent threat actors from taking advantage of the vulnerability.
Mandiant has issued urgent warnings for organizations to delete all previous sessions following reports of threat actors bypassing the patch and persisting previously authenticated sessions. There have been instances of session takeovers, where threat actors managed to bypass passwords and multi-factor authentication, highlighting the severity of the issue.
Researchers at Palo Alto Networks Unit 42 have observed exploitation activities involving the use of Python scripts distributed to ransomware affiliates. Compromised users have been seen executing reconnaissance commands and placing additional tools on virtual desktop infrastructure hosts, indicating a sophisticated level of attack.
Overall, organizations are advised to apply the patch for Citrix NetScaler ADC and NetScaler Gateway as soon as possible to mitigate the risk of session hijacking and targeted attacks. Maintaining up-to-date security measures and actively monitoring for malicious activity are essential in protecting sensitive data and preventing unauthorized access. Cybersecurity agencies are closely monitoring the situation and urging collaboration between organizations to address the ongoing threat posed by CitrixBleed.
Article Source
https://www.cybersecuritydive.com/news/citrixbleed-patch-hunt-malicious/699164/