Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. Researchers from Mandiant report that four ongoing campaigns target vulnerable Citrix NetScaler ADC and Gateway appliances, with attacks underway since late August 2023. The security company has seen post-exploitation activity related to credential theft and lateral movement, warning that exploitation leaves behind limited forensic evidence, making these attacks particularly stealthy. The Citrix Bleed CVE-2023-4966 vulnerability was disclosed on October 10 as a critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway, allowing access to sensitive information on the devices. A week after a fix was made available, Mandiant revealed the flaw was a zero-day under active exploitation since late August, with hackers leveraging it to hijack existing authenticated sessions and bypass multifactor protection. Attackers used specially crafted HTTP GET requests to force the appliance to return system memory contents, which include a valid Netscaler AAA session cookie issued post-authentication and after MFA checks. Hackers who steal these authentication cookies can then access the device without performing an MFA verification again. Citrix followed up with a second warning to admins, urging them to secure their systems against the ongoing attacks, which were low-complexity and didn't require any user interaction. On October 25, AssetNote researchers released a proof-of-concept exploit demonstrating how to hijack a NetScaler account via session token theft. Mandiant explains that the lack of logging on the appliances makes investigating the exploitation of CVE-2023-3966 challenging, requiring web application firewalls and other network traffic monitoring appliances to log traffic and determine if a device was exploited. Unless a network uses this type of monitoring before an attack, it prevents any historical analysis and limits researchers to real-time observations. Even post-exploitation, the attackers remain stealthy, employing living-off-the-land techniques and common administrative tools like net. The researchers have released a Yara rule that can be used to detect FREE FIRE on a device. Mandiant says the four threat actors that exploit CVE-2023-4966 in various campaigns show some overlap in the post-exploitation stage. For advice on system restoration, check out Mandiant's remediation guide. Recently patched Citrix NetScaler bug exploited as zero-day since August. New critical Citrix NetScaler flaw exposes 'sensitive' data. Citrix Bleed exploit lets hackers hijack NetScaler accounts. Hackers hijack Citrix NetScaler login pages to steal credentials. Hackers exploit recent F5 BIG-IP flaws in stealthy attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000