Hackers use Citrix Bleed flaw in attacks on govt networks worldwide

Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. Researchers from Mandiant report that four ongoing campaigns target vulnerable Citrix NetScaler ADC and Gateway appliances, with attacks underway since late August 2023. The security company has seen post-exploitation activity related to credential theft and lateral movement, warning that exploitation leaves behind limited forensic evidence, making these attacks particularly stealthy. The Citrix Bleed CVE-2023-4966 vulnerability was disclosed on October 10 as a critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway, allowing access to sensitive information on the devices. A week after a fix was made available, Mandiant revealed the flaw was a zero-day under active exploitation since late August, with hackers leveraging it to hijack existing authenticated sessions and bypass multifactor protection. Attackers used specially crafted HTTP GET requests to force the appliance to return system memory contents, which include a valid Netscaler AAA session cookie issued post-authentication and after MFA checks. Hackers who steal these authentication cookies can then access the device without performing an MFA verification again. Citrix followed up with a second warning to admins, urging them to secure their systems against the ongoing attacks, which were low-complexity and didn't require any user interaction. On October 25, AssetNote researchers released a proof-of-concept exploit demonstrating how to hijack a NetScaler account via session token theft. Mandiant explains that the lack of logging on the appliances makes investigating the exploitation of CVE-2023-3966 challenging, requiring web application firewalls and other network traffic monitoring appliances to log traffic and determine if a device was exploited. Unless a network uses this type of monitoring before an attack, it prevents any historical analysis and limits researchers to real-time observations. Even post-exploitation, the attackers remain stealthy, employing living-off-the-land techniques and common administrative tools like net. The researchers have released a Yara rule that can be used to detect FREE FIRE on a device. Mandiant says the four threat actors that exploit CVE-2023-4966 in various campaigns show some overlap in the post-exploitation stage. For advice on system restoration, check out Mandiant's remediation guide. Recently patched Citrix NetScaler bug exploited as zero-day since August. New critical Citrix NetScaler flaw exposes 'sensitive' data. Citrix Bleed exploit lets hackers hijack NetScaler accounts. Hackers hijack Citrix NetScaler login pages to steal credentials. Hackers exploit recent F5 BIG-IP flaws in stealthy attacks.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to Hackers use Citrix Bleed flaw in attacks on govt networks worldwide

US Health Dept urges hospitals to patch critical Citrix Bleed bug - The U.S. Department of Health and Human Services warned hospitals this week to patch the critical 'Citrix Bleed' Netscaler vulnerability actively exploited in attacks. Ransomware gangs are already using Citrix Bleed to breach their targets' networks ...
11 months ago Bleepingcomputer.com
LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed - The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability to breach the systems of large organizations, steal data, and encrypt files. Although Citrix made fixes available for CVE-2023-4966 more than a month ...
11 months ago Bleepingcomputer.com
CVE-2007-2850 - The Session Reliability Service (XTE) in Citrix MetaFrame Presentation Server 3.0, Presentation Server 4.0, and Access Essentials 1.0 and 1.5, allows remote attackers to bypass network security policies and connect to arbitrary TCP ports via a ...
7 years ago
Citrix warns admins to kill NetScaler user sessions to block hackers - Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 'Citrix Bleed' vulnerability to secure vulnerable devices against attacks. Besides applying the necessary ...
11 months ago Bleepingcomputer.com
Hackers use Citrix Bleed flaw in attacks on govt networks worldwide - Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. Researchers from Mandiant report that four ...
11 months ago Bleepingcomputer.com
HHS warns of 'Citrix Bleed' attacks after hospital outages - The U.S. Department of Health and Human Services is warning hospitals and healthcare facilities across the country to patch a vulnerability known as "Citrix Bleed" that is being used in attacks by ransomware gangs. For weeks, cybersecurity experts ...
11 months ago Therecord.media
US Health Dept Urges Hospitals to Patch Critical 'Citrix Bleed' Vulnerability - This week, the US Department of Health and Human Services has warned hospitals of the critical 'Citrix Bleed' Netscaler vulnerability that has been exploited by threat actors in cyberattacks. On Thursday, the department's security team, Health Sector ...
11 months ago Cysecurity.news
Citrix Bleed exploit lets hackers hijack NetScaler accounts - A proof-of-concept exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. ...
11 months ago Bleepingcomputer.com
Two more Citrix NetScaler bugs exploited in the wild The Register - Two vulnerabilities in NetScaler's ADC and Gateway products have been fixed - but not before criminals found and exploited them, according to the vendor. CVE-2023-6548 could allow remote code execution in the appliances' management interface. It ...
9 months ago Go.theregister.com
AHA, Federals Urge Healthcare Ogranizations to Minimize Citrix Bleed Vulnerability - The alert from the Department of Health and Human Services Health Sector Cybersecurity Coordination Center on Nov. 30 and the AHA warning on Friday come amid an outbreak of ransomware attacks alleged to involve Citrix Bleed exploitation that has hit ...
11 months ago Cysecurity.news
Hackers breach US govt agencies using Adobe ColdFusion exploit - The U.S. Cybersecurity and Infrastructure Security Agency is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows ...
11 months ago Bleepingcomputer.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
11 months ago Bleepingcomputer.com
Cactus ransomware exploiting Qlik Sense flaws to breach networks - Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks. Qlik Sense supports multiple data sources and allows users to create custom data reports or ...
11 months ago Bleepingcomputer.com
Palo Alto Networks and IBM to Jointly Provide AI-Powered Security Offerings - PRESS RELEASE. SANTA CLARA, Calif. and ARMONK, N.Y., May 15, 2024 /PRNewswire/ - Palo Alto Networks, the global cybersecurity leader, and IBM, a leading provider of hybrid cloud and AI, today announced a broad-reaching partnership to deliver ...
5 months ago Darkreading.com
Toyota confirms breach after Medusa ransomware threatens to leak data - Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is ...
11 months ago Bleepingcomputer.com
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability - These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware. Historically, LockBit 3.0 affiliates have conducted attacks ...
11 months ago Cisa.gov
Ransomware review: December 2023 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top ...
10 months ago Malwarebytes.com
CVE-2020-8245 - Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler ...
4 years ago
CVE-2020-8247 - Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, ...
4 years ago
CVE-2020-8246 - Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, ...
4 years ago
Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
Citrix warns of new Netscaler zero-days exploited in attacks - Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities. The two zero-days impact the Netscaler management interface and expose unpatched ...
9 months ago Bleepingcomputer.com
Exploits released for critical Jenkins RCE flaw, patch now - Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. ...
9 months ago Bleepingcomputer.com
North Korean Hackers Utilizing Credential Stuffing to Launch Cyberattacks - In an alarming new report, researchers found that North Korean-linked hackers have been using stolen passwords during cyberattacks to gain access to various government, military and financial networks. According to security experts, the creative ...
1 year ago Thehackernews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)