'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in

Citrix Bleed, the critical information-disclosure bug that affects NetScaler ADC and NetScaler Gateway, is now under "mass exploitation," as thousands of Citrix NetScaler instances remain vulnerable, according to security teams.

As of October 30, Shadowserver spotted just over 5,000 vulnerable servers on the public internet. And in the past week, GreyNoise observed 137 individual IP addresses attempting to exploit this Citrix vulnerability.

Citrix disclosed and issued a patch for the flaw – CVE-2023-4966 – on October 10. 

However, "even if you applied the patch and rebooted, you still have a problem as session tokens persist," noted infosec watcher Kevin Beaumont, who said he had tracked just over 20,000 exploited servers as of Saturday. 

Citrix, in a subsequent memo, did echo other security shops' mitigation advice and instructed customers to kill all active and persistent sessions using a series of commands. But by then, the criminals were a few steps ahead.

The vulnerability allows attackers to access a device's memory, and in that RAM find session tokens that miscreants can then extract and use to impersonate an authenticated user. Thus even if the hole is patched, copied tokens will remain valid unless further steps are taken.

It appears people are collecting session tokens like Pokemon

This "mass exploitation" includes at least two ransomware gangs, as of October 30, Beaumont added. One of these crews is "distributing a python script to automate the attack chain," he said. "Essentially you have a 1998 style vulnerability in your remote access solution. It appears people are collecting session tokens like Pokemon."

Mandiant, on Tuesday, said it is currently tracking four separate uncategorized groups that are exploiting the vulnerability across multiple sectors. These include legal and professional services, tech, and government agencies across the Americas, Europe, Middle East, Africa and Asia-Pacific regions, predominantly using these four tools. 

• csvde.exe
• certutil.exe
• local.exe
• nbtscan.exe

"Given the widespread adoption of Citrix in enterprises globally, we suspect the number of impacted organizations is far greater and in several sectors," the Google-owned threat-intel team wrote in a blog.

Mandiant also identified a variety of ways to check for exploitation within organizations' network. But, it warned, patterns of suspicious activity related to session hijacking might differ from organization to organization, and the techniques outlined as follows might not be applicable or feasible in all scenarios."

• Citrix urges 'immediate; patch for critical NetScaler bug as exploit POC made public
• Critical Citrix bug exploited by data thieves weeks before being patched
• Stop what you're doing and patch this critical Confluence flaw, warns Atlassian
• Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

Security firm Assetnote last week published a technical analysis of the bug including a proof-of-concept that demonstrated how it could be abused to steal session tokens, prompting an uptick in scanning for vulnerable endpoints, according to Rapid7.

And while the US government's Cybersecurity and Infrastructure Security Agency (CISA) last Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, it still lists the vulnerability as "unknown" in the "used in ransomware campaigns" column. 

Mandiant previously said criminals have been abusing this flaw to steal corporate info since late August.

While these attacks at the time were limited to cyber espionage, "we anticipate other threat actors with financial motivations will exploit this over time," Mandiant Consulting CTO Charles Carmakal said. And it appears that time has come.

Citrix declined to answer The Register's questions, including if customers have reported the bug being exploited by ransomware groups. ®