US authorities are facing a critical vulnerability in Citrix Netscaler devices that help businesses with secure remote access, affecting a wide range of industries worldwide. The main vulnerability, CitrixBleed, has been exploited by multiple threat groups such as LockBit 3.0 and AlphaV/BlackCat, leading to ransomware attacks and other malicious activities.
Despite a patch issued on October 10, CitrixBleed exploits have continued and even escalated over several weeks. The exploit can bypass the patch if previous user sessions are not deleted, leading to session hijacking and data theft by threat actors. Organizations are urged to install the recommended versions and end active sessions to prevent further attacks.
Before the patch release, over 20,000 systems were identified as potentially vulnerable, which decreased to 7,984 unpatched versions post-patch. Threat researchers have found instances of threat actors taking over Netscaler sessions through unknown means, emphasizing the challenges of vendor security management.
The vulnerability was named CitrixBleed in reference to HeartBleed, highlighting the significant security risks posed by third-party vendor software and devices within organizations. High-profile incidents related to CitrixBleed have involved companies like Boeing and financial services firms, leading to ransomware attacks and disruptions.
US authorities, including the New York State Department of Financial Services, CISA, FBI, and others, have issued warnings and mitigation guidance to regulated entities and healthcare organizations about the risks of CitrixBleed. The agencies have alerted vulnerable organizations and shared threat intelligence to prevent further attacks.
Security researchers emphasize the importance of applying patches and additional mitigation measures, such as deleting active sessions, to prevent future malicious activities. Despite a significant decrease in the number of vulnerable systems after the patch, concerns remain regarding the use of memory-safe languages by manufacturers, which could contribute to further exploitation of vulnerabilities like CitrixBleed.
Article Source
https://www.cybersecuritydive.com/news/citrixbleed-security-critical-vulnerability/702505/